March 7, 2005 1:58 PM PST
Trojan gets the cell phone message
The malicious software, dubbed "CommWarrior" and described as a virus by some antivirus companies, takes aim at the version of the Symbian operating system running on Nokia Series 60 handsets. F-Secure, SimWorks International and other security providers issued reports about the threat Monday.
CommWarrior attempts to spread by sending messages via Bluetooth wireless connections and Multimedia Message Service--different from the Cabir virus, which only used Bluetooth to proliferate.
MMS, a mobile technology for sending text messages that can also include images, audio or video, is built into devices from Ericsson, Motorola and others. CommWarrior, however, only affects Nokia Series 60 phones.
As MMS can be used to send text messages worldwide, it has a greater reach than the short-range Bluetooth and so could be forwarded more rapidly, researchers said.
"At its best replication speed, Cabir can only spread as quickly as planes fly," said Mikko Hypponen, antivirus research director at Finland-based F-Secure. "But MMS viruses are more comparable to e-mail worms like Bagle, MyDoom, Sobig and others. An MMS threat can travel around the world in hours, so in that regard, it's much more dangerous."
A representative for United Kingdom-based Symbian said the company is aware of the problem and researching the threat with Nokia and its security partners. Nokia could not be immediately reached for comment.
CommWarrior infects the telephone directory software in the Nokia handsets. It randomly selects one directory profile at a time and sends a copy of itself to that person. It can be sent to any kind of wireless gadget or computer, but if that device does not run the Symbian Series 60 software, it will not be infected. A recipient also has to accept and download CommWarrior in order for the Trojan to launch itself.
The Trojan uses more than 20 different messages to try to lure users into opening its file, including text designed to look like legitimate software updates from Symbian, or even pornographic photographs.
CommWarrior has been seen in the wild since the beginning of this year, Hypponen said. An element of the program that causes it to sleep for an undetermined period of time before attempting to spread itself may have helped slow its distribution, he said.
Researchers have noted two versions of the threat thus far, with the only major difference in the strains being the overall file size. Hypponen said there is some Russian-language text hidden inside the files, a clue that the threat may have been developed in that region.
An individual claiming responsibility for creating the threat has made it available for download via a Web site. The site offers no further information about the purported writer of the Trojan.
Based on a lack of consumer reports on the attack, researchers believe that CommWarrior has yet to infect a large number of devices. One reason for the relative dearth of infections may be that the Trojan is trying to send itself to large numbers of landline phones, as it cannot differentiate between mobile and traditional phone numbers.
9 commentsJoin the conversation! Add your comment