Commarrior - вирус за Nokia Series 60

[Jane]

Commvarrior е вирус кој е наменет за Nokia Series 60 телефоните и е доста раширен низ градов. Повеќето сопственици на телефони кои се заразени од вирусот, не ни знаат дека постои. Самиот се испраќа како MMS порака или преку Bluetooth. Решив да ја напишам темава за уште некој да не настрада поради незнаење дека постои вирус за мобилен телефон. Вирусов не прави штета на телефонот. Тој ја троши батеријата со тоа што бара вклучени Bluetooth уреди за да ја испрати копија од .sys фајлот кој ќе го зарази другиот телефон. Друга лоша работа е тоа што ако имате активирано MMS, вирусот ќе избира броеви по случаен избор од именикот и ќе се праќа преку MMS порака. Ниту ова нема да наштети на телефонот, но кредитот многу брзо ќе ви се потроши, а ако сте на сметка, ќе ви стигне огромна сума и ќе мора да си ја платите вие, а не вирусот.

When SymbOS.Commwarrior.A arrives at a target device, it may perform the following actions:

1. Creates the following files on the phone:
   • \system\updates\commwarrior.exe
   • \system\updates\commrec.mdl
   • \system\apps\commwarrior\commwarrior.exe
   • \system\apps\commwarrior\commrec.mdl
   • \system\recogs\commrec.mdl
2. Rebuilds an .sis file from the above files into the following location:
   
   \system\updates\commw.sis
3. Searches for Bluetooth-enabled devices and attempts to send a randomly named copy of the .sis file to all devices that it finds.
4. Randomly chooses a phone number from the device's phonebook and sends an MMS message containing the commw.sis file as an attachment. The MIME type of the attachment is application/vnd.symbian.install.
   
   The MMS messages have the following characteristics:
   • Subject: Norton AntiVirus
     Message: Released now for mobile, install it!
   • Subject: 3DGame
     Message:3DGame from me. It is FREE !
   • Subject:3DNow!
     Message:3DNow!(tm) mobile emulator for *GAMES*.
   • Subject:Audio driver
     Message:Live3D driver with polyphonic virtual speakers!
   • Subject:CheckDisk
     Message: *FREE* CheckDisk for SymbianOS released!MobiComm
   • Subject: Desktop manager
     Message: Official Symbian desctop manager.
   • Subject: Display driver
     Message: Real True Color mobile display driver!
   • Subject: Dr.Web
     Message: New Dr.Web antivirus for Symbian OS. Try it!
   • Subject: Free SEX!
     Message: Free *SEX* software for you!
   • Subject: Happy Birthday!
     Message: Happy Birthday! It is present for you!
   • Subject: Internet Accelerator
     Message: Internet accelerator, SSL security update #7.
   • Subject: Internet Cracker
     Message: It is *EASY* to *CRACK* provider accounts!
   • Subject: MS-DOS
     Message: MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
   • Subject: MatrixRemover
     Message: Matrix has you. Remove matrix!
   • Subject: Nokia ringtoner
     Message: Nokia RingtoneManager for all models.
   • Subject: PocketPCemu
     Message: PocketPC *REAL* emulator for Symbvian OS! Nokia only.
   • Subject: Porno images
     Message: Porno images collection with nice viewer!
   • Subject:PowerSave Inspector
     Message: Save you battery and *MONEY*!
   • Subject: Security update #12
     Message: Significant security update. See www.symbian.com
   • Subject: Symbian security update
     Message: See security news at www.symbian.com
   • Subject: SymbianOS update
     Message: OS service pack #1 from Symbian inc.
   • Subject: Virtual SEX
     Message: Virtual SEX mobile engine from Russian hackers!
   • Subject: WWW Cracker
     Message: Helps to *CRACK* WWW sites like hotmail.com
5. If it is the first hour of the 14th of any month, the threat resets the device.

 

[SaLt]

eve malo pojasnuvanje - dopolnuvanje :


SymbOS\Commwarrior.E

Description:

Commwarrior.E is a variant of family "Commwarrior". It claims itself as a GPRSsettings utilities which in fact, it's a malicious application that trying to fool the user to proceed to the installation step and causing malicious infection to the phone or the media card.

This malicious application is trying to replicates itself over bluetooth network and also MMS network and I've working on 1 hour to observed its replication method, in the first hour, it will replicates itself via Bluetooth network at a rate of 1 malicious file per 5 minutes, causing the phone battery drains faster abnormally. Around midnight 12 a.m., this malicious application will stop replicates itself via bluetooth network but it will replicates itself via MMS network.

This spreading technique is quite effective as you can see it's working in "invisible background", causing normal user didn't aware them until they notice they get a "high billed" amount of MMS charges.

The main difference of this variant with the previous variant is, it will generates different codes and replicates itself via another bluetooth device, while installing, the image below shown is a screenshoot taken in another phone which the user has authorised the infected device to send the suspicious file.

Affected Platforms:

Tested on:

· Nokia 6680
· Nokia 3660

Affected:

· Nokia 6680
· Nokia 3660

Analysis/Observation:

This trojan was distributed in an application file and it is spreading in Commwarrior.E.SIS or GprsSettings.SIS .


Symtomps:

When user try to install this suspicious *.SIS file, the image shown below is screenshoot taken during installation process:

During installation, a message will pop out as shown below:

Method of Infection

It will replicates itself via bluetooth network and also MMS network that it will randomly pick up the contacts details in user's phonebook and send itself to the selected victim.

It has a unique feature that similar with Commwarrior.C, that is, it will protect itself although user has deleted the malicious directory.

The above text show the messages that used by this malicious application to spread itself via MMS network:

Subject: Llamame cuando veas
Message: Problema de bateria en Nokia!

Subject: Mira!!
Message: Ole!!!Universidad de Madrid y Valencia.

Subject: Nuevas Tiendas!
Message: Hay que pagar para respirar y mear

Subject: Movistar!
Message: Fernando Alonso te envia una invitacion! Sr Gonzalo

Subject: Norton AntiVirus
Message: Instalacion paramoviles,instalar ya!

Subject: Paulina
Message: Nuevo Antivirus para los Nokia s60s. Instala

Subject: Quieres Reirte
Message: Todos vendemos.Gracias Maria!

Subject: Deejay
Message: Conseguir eso..Maldito Sea!

Subject: Amor Libre!
Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtual
Message: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema erotico
Message: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?
Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos mo
Message: vilforum,todo sobre movilesy demas......com

Subject: Me he cambiado..
Message: Me he cambiado la direccionde email, esta

Subject: HP-CITY
Message: Veroo eres un zorron, guarrita. Instalalo si eres tu. Instala!

Subject: Mis Albumes
Message: Maria! Traeme las bragas de tu madre!!!!! Solo Nokia.

Subject: Sonitonos Nokia
Message: Politono Popcorn anuncio renault clio

Subject: Telefonica Anuncia.
Message: Vodafone y Amenase fusionan. Compra un PpPpc.com

Subject: A mi novia XXXX
Message: Solo trabajemos 6 horas diarias .....!

Subject: Se busca gente
Message: Antena 3 y Telecincoven

Subject: Antena 3 y T elecinco...
Message: Diapositiva PowerPoint ensymbian.com

Subject: Mi e-mail es este
Message: Jorge y yo nos casamos e n 2 meses!!.

Subject: Feliz Cumple!!!
Message: Felicidades!!!! Tienes una postal aki!

Subject: Amor Libre!
Message: Descarga nuevos sonitonos aqui!

Subject: AmorVirtual
Message: Mp3 Player paraNokia series 60. Instalalo yaa!

Subject: Mi tema erotico
Message: Coleccion de mis fotoalbum fallas 2006!!!

Subject: Quedamos a tomar algo?
Message: Viva las fallas de Valencia, mascletas online

Subject: Ayudanos mo
Message: vilforum,todo sobre movilesy demas......com

Prevention:

This malware requires that the user intentionally install them upon the device. As always, users should never install third party application from unknown site.

How to uninstall:

CalvinStinger v1.2 will able to remove this malware which will be available soon in its official site.

Write up on 30th March 2006

Pozajmeno od :

 

[Jane]

Еве кои телефони можат да се заразат:

Series 60 Version 0.9, based on Symbian OS 6.1

• Nokia 7650

Series 60 1st Edition (Version 1.2), based on Symbian OS 6.1

• Nokia 3600
• Nokia 3620
• Nokia 3650
• Nokia 3660
• Nokia N-Gage and N-Gage QD
• Samsung
• Sendo X
• Sendo X2

Series 60 2nd Edition (Version 2.0), based on Symbian OS 7.0s

• Nokia 6600
• Samsung SGH-D710

Series 60 2nd Edition, Feature Pack 1 (Version 2.1), based on Symbian OS 7.0s

• Nokia 6620
• Nokia 7610
• Nokia 6260
• Nokia 6670
• Nokia 3230

Series 60 2nd Edition, Feature Pack 2 (Version 2.6), based on Symbian OS version 8.0a

• Nokia 6630
• Nokia 6680
• Nokia 6681
• Nokia 6682

Series 60 2nd Edition, Feature Pack 3 (Version 2.8), based on Symbian OS version 8.1a

• Nokia N70
• Nokia N90

S60 3rd Edition (Version 3.0), based on Symbian OS version 9.1

• Nokia 3250
• Nokia E60
• Nokia E61
• Nokia E70
• Nokia N71
• Nokia N80
• Nokia N91
• Nokia N92

:kajg::kajg::kajg:

 

[Мистичен]

У принцип, добро е што не можеш да се заебеш, освен ако сам не се заебеш.

Али Симбианот е ѓаолска работа, нон-стоп имаш занимација со него, те тера само да чепкаш, да инсталираш, еден вид на зараза е. И што поеќе чепкаш, поголеми се шансите да кркнеш нешто вакво.

 

[Jane]

Абе кога инсталираш нешто ќе те праша ако нема сертификат дали да провери на интернет дали чини фајлот или е некој вирус... но македонче не би дал 30 денари за да се уклучи на интернет само за да го види сертификатот. Но во другите земји интернетот на мобилен е поевтин и затоа нема да фаќаат толку вируси

 

[Mac))]

Ејј овој вирус другар ми го имаше се чудеше што е......
Сеа одма му кажувам....Стварно многу низ градов го имаат

 

[krusha03]

има многу поопасни вируси од овој ама ги нема уште сртетнато кај нас. Едни од нив се Skulls и Metal Gear кои ти ги мењаат сите икони во костури и неможеш ништо да користиш на мобилниот

 

[Jane]

има многу поопасни вируси од овој ама ги нема уште сртетнато кај нас. Едни од нив се Skulls и Metal Gear кои ти ги мењаат сите икони во костури и неможеш ништо да користиш на мобилниот

А како се фаќаат? Bluetooth, MMS, Internet...?

 

[SaLt]

Ajko nekoj sak Fix , mislam antivirus za ova g*mnence od virus moze da najde i simne tuka :
http://symbian.com.mk/forum/index.php?topic=808.0

 

[krusha03]

А како се фаќаат? Bluetooth, MMS, Internet...?

Вирусот се шири преку bluetooth и може да дојде под различни имиња и има повеќе верзии. Но, мора корисникот сам да го инсталира. Затоа е го оставајте bluetoothот уклучен и не примајте пораки од непознати праќачи.http://www.mobile88.com/klee/entry.asp?ENTRY_ID=31

 

[Tutkar]

drugarce sobra virus preku bluetooth, nesto mu se ukoci pa sega mu e servis, valjda se resava toj problem nekako.

 

[Jane]

drugarce sobra virus preku bluetooth, nesto mu se ukoci pa sega mu e servis, valjda se resava toj problem nekako.

Не морал да иде на сервис. На интернет ќе го пише името и ќе му даде инструкции како да го избрише, а можел и на форумов да побара помош.