Virus Strike ... Import so read this

Virus Characteristics:
This threat is a malicious .SIS file targeting Nokia series 60 based devices. The virus masquerades as a variety of benign applications, including games, porn, and cross platform emulators. See “Table 1 - MMS Message Text” for a more complete list of subjects and message content.

It replicates by sending itself to nearby Bluetooth devices as well as via MMS. The MMS recipient appears to be selected from the host address book. Once it is in the host inbox the user can view the message and must approve the installation of the SIS. Once installed several files are dropped (see Table 1 - MMS Message Text) and the virus sets itself up for automatic execution at system start.

Affected Platforms:
Series 60 devices

Confirmed devices:
Nokia 7610
Nokia 6600

Symptoms

Upon installation of the .SIS file, the user will be presented with the misleading dialogue for installing the virus SIS . See Figure 1 - Figure 4 , below. See also ‘Table 1 - MMS Message Text ’ for a list of the possible MMS subject and messages.



Figure 1 - Bluetooth Receive Prompt



Figure 2 - SIS Installer Prompt



Figure 3 - Inbox



Figure 4 - Installer Details



Table 1 - MMS Message Text

Immediately after installation, the worm copies itself to c:\system\updates\commwarrior.exe and places a boot hook in c:\system\recogs\commrec.mdl . Finally, it copies its installation SIS file (which will be sent to target systems) to c:\system\updates\commw.sis .

Note that because the worm does not install an application, no user-visible indication of infection is present.

Once running, the application probes the Bluetooth network for nearby devices with an "OBEX push" (i.e. "file beaming") profile and sends the commw.sis file to them, renamed with a random-looking file name.

Note that unlike earlier worms, this worm properly uses the Bluetooth SDP protocol to detect devices. It will therefore successfully spread to (but not run on) devices other than Nokia Series 60 phones. It will also not exhibit the "hang" behavior observed with SymbOS/Cabir worms that try to infect devices that are not listening.

The worm retries to infect nearby devices every ~1 minute.

Presumably (this has not been verified yet) the worm also sends MMS messages containing the same infected content to recipients listed in the phone and/or SIM's address books. Because MMS is a message (not file) based protocol, it attaches itself as an attachment to a message with text indented to entice the target user into installing the file.

Upon reboot, the "recognizer" file in c:\system\recogs\commrec.mdl runs and starts an instance of commwarrior.exe running, ensuring that the process continues.

The following files are installed by CommWarrior:
c:\system\apps\commwarrior\commrec.mdl - 2,152 bytes
c:\system\apps\commwarrior\commwarrior.exe - 27,936 bytes
c:\system\apps\commwarrior\commrec.mdl - 2,152 bytes
c:\system\recogs\commrec.mdl - 2,152 bytes
c:\system\updates\commrec.mdl - 2,152 bytes
c:\system\updates\commwarrior.exe - 27,936 bytes
c:\system\updates\commw.sis - 30,582 bytes

Payload:
Rapid battery drain.
Propagates via MMS to addresses in the user address book.
Propagates to nearby Bluetooth devices.

Method Of Infection

This virus replicates via MMS to addresses in the user address book and to nearby Bluetooth devices.

Removal Instructions

Use a file manager to delete:
c:\system\recogs\commrec.mdl
Reboot the handset.
Delete the following (now inert) files:
c:\system\updates\commrec.mdl
c:\system\updates\commw.sis
c:\system\updates\commrwarrior.exe
c:\system\apps\CommWarrior\commwarrior.exe
c:\system\apps\CommWarrior\commrec.mdl

Mislim da imam negde ovaj u kolekciji. Ako je neko zainteresovan za proučavanje virusa samo u edukativne svrhe, neka javi, postovacu ga.

Ma virusi nisu problem, glej kolko ih ja imam brate!