NEWS FROM THE LAB - Tuesday, August 1, 2006

New Variant of Commwarrior Detected Posted by Jarno @ 12:41 GMT

Today we received a new Commwarrior sample - SymbOS/Commwarrior.Q.

Unlike most Commwarrior samples we have received, Commwarrior.Q is not just a hexedit of Commwarrior.B. Commwarrior.Q is a fully new variant with new functionalities.

Commwarrior.Q is based on Commwarrior.C and has same functionality as Commwarrior.C and more.

Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages, and infects any memory card inserted into device. Additionally, Commwarrior.Q searches the infected device for any SIS file installation packages and injects itself into any that it finds. That means that besides trying to spread by itself, Commwarrior.Q also tries to get users to distribute it. For example, if the user has a game installation SIS that he would copy to his friend.

Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates. The file size of the Commwarrior.Q SIS file varies between 32100 bytes and 32200 bytes. That makes it difficult to exclude from MMS traffic.

When Commwarrior.Q is installed it will display an HTML page to the phone's default browser after a random delay.


The sample that we received came from a regular user, so Commwarrior.Q is in the wild, but we don't estimate it to be large outbreak as we have received only one report so far. And as Commwarrior.Q displays the HTML page that states that the phone is infected, it's unlikely that Commwarrrior.Q would cause a large scale outbreak.

Commwarrior.Q is detected by F-Secure Mobile Anti-Virus with database update 103.