How to recognise Comwarrior

The Comwarrior program will only work on handsets using the Symbian operating system, such as Nokia 3650, 6600. 

The program will leave the Bluetooth functionality of the handset permanently switched on, but this will not be indicated by the handset’s Bluetooth indicator. 

If the user can obtain another Bluetooth enabled device (Laptop, Pda, or mobile phone) they can check for the virus in the following way;

• Switch off the suspect mobile device.
• Switch on the other device.
• Switch on the Bluetooth of the second device.
• Set the Bluetooth on the second device to “discoverable to all” or “not hidden”.
• Switch on the suspect mobile device.
• If the suspect device has the Comwarrior virus running it will try to connect to the other device within a few minutes.

Background information

This program is believed to have come from Russia, and like the CABIR program it sends itself to other devices.  This is its only payload; the program does not attack any other part of the device.  The infected user is often unaware of the virus. 

The program will try to spread to other nearby Bluetooth devices in the same way as CABIR, but it also uses MMS. 

The difference with this implementation is it uses the contacts list in the Symbian device to forward itself as an MMS message to all contacts.   This will have an impact on infected users.  The program sends an MMS to all entries in the contacts list; this means that if a user has 50 entries the program may try to send 50 MMS messages over a period of time.  The program has no way of knowing what sort of entries they are so landlines and fax machines could also be sent undeliverable MMS, at the user’s expense. 

Attack

The MMS or Bluetooth message will include a Symbian installation file (.sis file).  These seem to be named at random, to stop users being informed of which .sis files to avoid.  

As with the CABIR virus the user will be asked by the Symbian operating system if they agree to install the program.  The user has to actively participate in installing the problem.

Handsets at risk

Comwarrior affects Series 60 phones using Symbian OS v6.1 or newer such as the Nokia 3650, 6600 and 6630. Comwarrior does not affect UIQ based Symbian phones such as the popular Sony-Ericsson P900/910 and Motorola A925/1000.

Recommendations

The key advice to all users is that under no circumstances should they download or install software onto their device that they have not specifically requested.  In the same way that a user should not download unknown executable files to a PC or PDA, the risks are the same. 

O2 recommend the following action as generic protection against these attacks to users’ devices:

• Follow Bluetooth recommendations detailed below to address threats from the Bluetooth interface.
• Do not download programs from any source (internet, via Bluetooth, IrDA, and WAP etc.) unless you are absolutely sure of the author of the software and the purpose of the software.  Users should be especially suspicious of Freeware and shareware.
• Do not accept .sis files unless you have specifically requested them for a known purpose.
• Always respond with “NO” to installation requests for software unless you are absolutely sure the software will not damage your device.
• If a friend sends you a program, call them to confirm what it is and why they sent it, before you open the message.  If they do not know, it is probably a virus.  This advice is valid for all electronic devices, not just mobile phones

To reset a Nokia Series 60 handset the code *#7370# should be used.  This will return the handset to its ex-factory state, so you will lose all contact information, ring tones, etc.  To avoid this, the device could be backed up, but many laptops will reject the back up due to the detection of the virus by the laptop virus guard.  If the device supports a memory card then it may be possible to copy your information and ring tones etc to the memory card prior to resetting the device (Check your handsets handbook, or manufacturer’s web site, for details).