Inter Engineering

Home

About Us

Products

Support

Downloads

Resellers

Links

Latest News

Latest Threats

Trainings

Mailing Lists

Latest Τhreats

A new Commwarrior variant in the wild

F-Secure's Viruslab received a sample of a new Commwarrior variant, Commwarrior.C on last Wednesday. It is probably the most dangerous mobile phone virus detected so far. Luckily it doesn't seem to be widespread yet.

Commwarrior.C spreads over Bluetooth using random file names as earlier variants do, but the MMS functionality is different. Commwarrior.C goes through the address book and sends messages to numbers found in there, just like A and B variants did. But in addition, it also mimics the users MMS behavior. Commwarrior.C listens for any arriving MMS and SMS messages and replies to them with an infected MMS. And when the user sends a SMS message, Commwarrior follows this by sending immediately a second message to the same address: an infected MMS. The messages being sent by Commwarrior.C contain texts gathered from SMS messages that are stored on the phone, which means that the recipient of MMS message will receive a text that doesn't seem too strange.

Together these make a very strong social engineering trick: you send a SMS message to an infected friend, and his phone immediately answers you back with an infected MMS, completed with a message text stolen from random earlier messages!

Commwarrior.C also copies itself on any MMC card inserted into the phone, so it is also a virus capable of spreading to other phones if you share your card.

Regardless of the spreading method, the recipient still has to accept and install the SIS file of the virus, and accept the usual system warning of installing an unsigned application.

In addition of spreading, Commwarrior.C also contains some payloads, by which it indicates that it has infected the phone. On some phones the Commwarrior changes the operator logo to it's own logo which contains text "Infected by CommWarrior".

The virus might also open a web page to the phone's browser. This website (which is hosted in Russia) has lifted some of it's content from F-Secure's web pages at mobile.f-secure.com.

Commwarrior.C is detected by F-Secure Mobile Anti-Virus since October 13, 2005.