First mobile messaging worm reported in the wild

CommWarrior.A uses PXT messages to get around, but isn't a serious threat says anti-virus company

The first mobile phone virus that spreads using the popular Mobile Messaging Service (MMS), known as PXT messaging to Vodafone users, is circulating among mobile phone users with Symbian Series 60 mobile phones, antivirus companies have warned.

Antivirus vendors first spotted the new virus, dubbed CommWarrior.A, on Monday. When opened, it places copies of itself on vulnerable mobile phones and uses the phone's address book to send copies of itself to the owner's contacts using MMS. Antivirus experts believe CommWarrior, which has been spreading slowly among cell phone users since January, is not a serious threat. However, the virus could herald a new age of malicious and fast-spreading cell phone threats, according to Mikko Hyppönen of F-Secure Corp.

MMS is a popular text messaging technology that is closely related to SMS (Short Message System), but allows mobile phone users to send multimedia content, such as sound files or photos, between MMS compliant mobile phones. The technology is popular, especially outside the US where phone users have widely adopted newer-generation cell phones that support multimedia features and MMS messaging, Hyppönen says.

"My kids use it all the time to send messages, or photos," says Hyppönen, who lives in Helsinki.

CommWarrior uses MMS to spread copies of itself to phone numbers stored in the address book of phones it infects. Victims receive MMS messages with file attachments that contain the CommWarrior virus. The messages contain enticing messages such as "3DGame from me. it is FREE!" and "Nokia RingtoneManager for all models," F-Secure says.

When victims open the attached virus file, CommWarrior is installed on the phone and begins randomly sending MMS messages with copies of itself to numbers in the phone book. Complicating matters, CommWarrior can also spread between phones using Bluetooth wireless connections, says Victor Kouznetsov, senior vice president of mobile solutions at McAfee.

Those who do get infected with CommWarrior can easily shut the virus down by pressing and holding the menu button on their cell phone, then selecting the CommWarrior from the list of applications that appears and pressing the "C," or "Clear" button, Kouznetsov says. Once the virus is disabled, mobile phone owners can use file management tools on the phone to locate and remove the virus files.

F-Secure and McAfee both posted bulletins listing the folders where the CommWarrior virus is installed on infected phones.

F-Secure first identified the CommWarrior this week. However, a search of the internet revealed news group messages from Nokia customers who complained about CommWarrior infections as early as January.

"I need help. I have a very strange problem with my Nokia 6600. It tries send MMS automatically to my contacts (Randomly) that I have in my phone book," reads one message, posted January 23, that goes on to verify a commwarrior.exe infection.

A copy of the virus posted on a webpage is dated January 1, and claims to work on the common Nokia Series 60 phones. That could include more than 10 million phones worldwide, but it's doubtful that CommWarrior, as currently written, could infect anywhere near that number, says Kouznetsov.

"It still relies on social engineering and user interaction to spread," he says. Even when users do click to open the CommWarrior attachment, a series of warning messages appear before the virus is actually installed, he says.

F-Secure is testing the sample of CommWarrior. However, the virus is difficult to test. Its ability to spread via wireless and MMS messages makes containment hard, Hyppönen says.

Mobile phone viruses are a recent development, but could be a major threat in years to come, as mobile devices become more powerful, according to Hyppönen and others.

Cabir, the first known mobile virus, spreads on phones running the Symbian operating system and are equipped with Bluetooth wireless connections, including Series 60 phones from a number of manufacturers, such as Siemens, Nokia and others. The virus first appeared last June as a "proof of concept" released by virus writing group 29a.

In August 2004 the first Cabir infections were first reported in the Philippines. Since then, the virus spread from to Singapore, the United Arab Emirates, China, India and 12 other countries.

Cabir can only spread using Bluetooth wireless connections, and requires physical proximity to a vulnerable phone, as well as user interaction to infect phones. Both those factors have limited its spread. MMS and SMS are believed to be better avenues for spreading viruses, because a single infected phone can rapidly send copies of a virus to all of a user's contacts, Hyppönen says.

F-Secure, which sells antivirus software for mobile devices, developed an antivirus signature that can detect and block CommWarrior. Company researchers are is still studying the behavior of the virus, Hyppönen says. Mobile phone users with phones that use the Symbian Series 60 operating system are advised not to open unexpected attachments to MMS messages, he says.

Join the newsletter!

Error: Please check your email address.

Tags CommWarrior.A

More about F-SecureMcAfee AustraliaNokiaSiemensSymbianVodafone

Show Comments
[]