NEWS FROM THE LAB - Friday, August 4, 2006

Updated Commwarrior.Q Description and Disinfection Method Posted by Jarno @ 12:55 GMT

We have finished analyzing the latest Commwarrior variant - Commwarrior.Q.

Commwarrior.Q Source Code

While we were reverse engineering the sample we found an interesting feature within. The Commwarrior.Q and C variants both have an internal deactivation mechanism. Creating a file named "noboot" in the e:\system\temp folder will prevent Commwarrior.Q and C from starting when phone is rebooted.

So to disinfect Commwarrior.Q and C:

Kill the Commwarrior Process

  1. Install a third-party file manager
  2. Create a file using the file manager named "noboot" in the E:\System\Temp\ folder
  3. Reboot the phone

Install F-Secure Mobile Anti-Virus to finish cleaning up your phone

  1. Open the phone's web browser
  2. Go to http://mobile.f-secure.com
  3. Select the "Downloads" link and then select the phone model
  4. Download the file and select open after download
  5. Install F-Secure Mobile Anti-Virus
  6. Go to Applications Menu and start Anti-Virus
  7. Activate Anti-Virus and scan all files