[S60 1st, 2nd Edition] Series 60 just got a virus

Discovered on: March 07, 2005

SymbOS.Commwarrior.A is a worm that replicates on Series 60 phones.

It attempts to spread using Multimedia Messaging Service (MMS) and

Bluetooth as a randomly named .sis file.

Also Known As: Commwarrior.A [F-Secure], SymbOS/Commwarrior.a

[McAfee], SYMBOS_COMWAR.A [Trend Micro]

Type: Worm

Systems Affected: EPOC

TECHNICAL DETAILS

When SymbOS.Commwarrior.A arrives at a target device, it may perform

the following actions:

Creates the following files on the phone:

\system\updates\commwarrior.exe

\system\updates\commrec.mdl

\system\apps\commwarrior\commwarrior.exe

\system\apps\commwarrior\commrec.mdl

\system\recogs\commrec.mdl

Rebuilds an .sis file from the above files into the following

location:

\system\updates\commw.sis

Searches for Bluetooth-enabled devices and attempts to send a

randomly named copy of the .sis file to all devices that it finds.

Randomly chooses up to 256 contact numbers from the device's

phonebook and sends an MMS message containing the commw.sis file as

an attachment. The MIME type of the attachment is

application/vnd.symbian.install.

The MMS messages have the following characteristics:

Subject: Norton AntiVirus

Message: Released now for mobile, install it!

Subject: 3DGame

Message: 3DGame from me. It is FREE !

Subject: 3DNow!

Message: 3DNow! mobile emulator for *GAMES*.

Subject: Audio driver

Message: Live3D driver with polyphonic virtual speakers!

Subject: CheckDisk

Message: *FREE* CheckDisk for SymbianOS released!MobiComm

Subject: Desktop manager

Message: Official Symbian desctop manager.

Subject: Display driver

Message: Real True Color mobile display driver!

Subject: Dr.Web

Message: New Dr.Web antivirus for Symbian OS. Try it!

Subject: Free SEX!

Message: Free *SEX* software for you!

Subject: Happy Birthday!

Message: Happy Birthday! It is present for you!

Subject: Internet Accelerator

Message: Internet accelerator, SSL security update #7.

Subject: Internet *****er

Message: It is *EASY* to ******* provider accounts!

Subject: MS-DOS

Message: MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try

it!

Subject: MatrixRemover

Message: Matrix has you. Remove matrix!

Subject: Nokia ringtoner

Message: Nokia RingtoneManager for all models.

Subject: PocketPCemu

Message: PocketPC *REAL* emulator for Symbvian OS! Nokia only.

Subject: Porno images

Message: Porno images collection with nice viewer!

Subject: PowerSave Inspector

Message: Save you battery and *MONEY*!

Subject: Security update #12

Message: Significant security update. See http://www.symbian.com

Subject: Symbian security update

Message: See security news at http://www.symbian.com

Subject: SymbianOS update

Message: OS service pack #1 from Symbian inc.

Subject: Virtual SEX

Message: Virtual SEX mobile engine from Russian hackers!

Subject: WWW *****er

Message: Helps to ******* WWW sites like hotmail.com

REMOVAL INSTRUCTION

To remove SymbOS.Commwarrior.A:

1. Install a file manager program on the phone.

2. Enable the option to view the files in the system directory.

3. Search the drives, A through Y, for the \system\apps\commwarrior

directory.

4. Delete the files commwarrior.exe and commrec.mdl.

5. Go to the \system\updates\commwarrior directory.

6. Delete the files commwarrior.exe, commrec.mdl, and commw.sis.

7. Go to the \system\recogs directory.

8. Delete the file commrec.mdl.

RECOMENDATION

* If Bluetooth is not required, it should be turned off.

* If you require the use of Bluetooth, ensure that the device's

visibility setting is set to "Hidden" so that it can not be scanned

by other Bluetooth devices.

* Avoid use of device pairing. If it must be used, ensure that all

paired devices are set to "Unauthorized". This requires each

connection request to be authorized by the user.

* Do not accept unsigned applications (no digital signature) or

applications sent from unknown sources. Be absolutely sure of the

origin of the application before accepting it

Την εχουμε βαψει κανονικα!!!

Ισως και να μπορουμε να την γλυτωσουμε αν δεν το ανοιξουμε, αφου πρωτα υποψιαστουμε απο τον τιτλο που θα εχει.

Δηλαδη η μονη προστασια για να μην κολλησουμε ειναι να μην το ανοιξουμε???

Παδια δεν χρειαζεται να σας πιανει πανικος.Μεχρι στιγμης ολοι οι ιοι που κυκλοφορουν πρεπει να τους εγκαταστησεις εσυ απο μονος σου.Αμα εισαι πληροφορημενος και δεν εγκαθιστας πραγματα που σου στελνουν τοτε κανενα προβλημα.

Το μεγαλο προβλημα θα ειναι οταν καποιος ιος δεν ρωταει πλεον για να εγκατασταθει. :scared:

7/3/2005

Symbian OS anti-virus specialist SimWorks announced today that it has identified the first virus targeting the platform that is capable of spreading itself via MMS messages. Using MMS, the CommWarrior.a virus, as SimWorks have named it, can instantaneously send itself to any MMS compatible mobile phone in the world, yet only infects those based on Symbian OS platforms.

Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.

Affecting Series 60 smartphones based on Symbian OS 6.1 or newer, such as the Nokia 3650, 6600 and 6630, the virus does not affect devices running on the UIQ platform, such as the Sony Ericsson P900/P910 and Motorola A925/A1000. Scanning the infected phone's address book, CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.

"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.

Unlike many recent proof-of-concept mobile viruses, SimWorks also said it had received a report of CommWarrior in the wild which it is seeking to confirm.

In addition to using MMS, CommWarrior also attempts to infect nearby devices by means of Bluetooth, similar to other recent viruses targeting the Symbian OS platform. According to SimWorks, CommWarrior is the first mobile virus to use such a two-pronged distribution strategy, which the company said may allow much faster and more geographically widespread infection of vulnerable devices.

As has been the case with past viruses targeting the Symbian OS platform, however, users are still required to accept the installation of the virus whether receiving it via Bluetooth or MMS, which in conjunction with limited MMS interoperability amongst mobile network operators could contribute to slowing down the spread of the virus.

Καλα και συ μην το κανεις τοσο τραγικο :p

Να δεχεσαι αρχεια που σου στελνουν ΑΛΛΑ. Οταν σου λεει Εφαρμογη Εγκατασταση μπλα μπλα.... πατα ΟΧΙ. Μετα πηγαινε στα μηνυματα να δεις αν ειναι ιος η οχι. Αν δεν ειναι και θες να το εγκαταστησεις , απλα ανοιξε το απο κει :w00t:

Με Bluetooth έλαβα ένα μήνυμα με τίτλο “caribe” αυτό εγκαταστάθηκε στην συσκευή μου και το τηλέφωνο μου είχε πρόβλημα κατά το άνοιγμα, στην συνέχεια το έκανα uninstall αλλά η συσκευή μου συνεχίζει να έχει πρόβλημα κατά το άνοιγμα.

Αυτό όμως που διαπίστωσα τώρα είναι ότι όποτε ενεργοποιώ το Bluetooth, το τηλέφωνο μου (NOKIA 6630) στέλνει από μόνο του σε όσες Bluetooth συσκευές εντοπίσει το αρχείο “caribe”

Υπάρχει τρόπος να διορθώσω αυτό το πρόβλημα ?

ΥΓ. SORY που σας κουράζω, Διαβασα τόσα σε αυτό το τοπικ, εχει τοσα πολλά, που τελικά μπερδευτικα και ακρη δεν εβγαλα.

Aeras κατεβασε το removal tool κανε ενα scan της συσκευης σου και λογικα θα τον βρει και θα τον βγαλει. :)

Εγινε, σε ευχαριστώ πολύ.

Έκανα και κάτι άλλο αλλά δεν ξέρω αν έκανα καλά,

έσβησα από την διαχείριση εφαρμογών ότι είχε εγκατεστημένο χωρίς

αναγνωρίσιμο πιστοποιητικό, (το AnyHttp και το BTKB Installer)

μηπως εκανα χαζομάρα ?

Έκανα και κάτι άλλο αλλά δεν ξέρω αν έκανα καλά,

έσβησα από την διαχείριση εφαρμογών ότι είχε εγκατεστημένο χωρίς

αναγνωρίσιμο πιστοποιητικό, (κάτι για http κτλ αν θυμάμαι καλά)

μηπως εκανα χαζομάρα ?

Χαζομαρα δεν εκανες γιατι μπορεις να τα ξαναβαλεις αλλα δεν χρειαζοτανε γιατι πιστοποιητικο εχουν ελαχιστες εφαρμογες εκτος και αν τις εχεις αγορασει. ;)

Χαζομαρα δεν εκανες γιατι μπορεις να τα ξαναβαλεις αλλα δεν χρειαζοτανε γιατι πιστοποιητικο εχουν ελαχιστες εφαρμογες εκτος και αν τις εχεις αγορασει. ;)

Εσβησα το

AnyHttp

και το

BTKB Installer

Δεν ξερω τι κανουν αυτά αλλα απο που μπορώ να τα βρω για να τα ξαναβάλω ?

Drever.A found

Helsinki, Finland - March 18, 2005

Drever.A is a malicious SIS file trojan that disables Simworks’s and Kaspersky’s mobile antivirus software’s automatic startup. It is still unverified whether either of these softwares is being protected against such attacks. Drever.A has no effect on F-Secure Mobile Anti-Virus -software.

Drever.A drops non-functional copies of the bootloaders used by Simworks Anti-Virus and Kaspersky Symbian Anti-Virus. These non-functional copies overwrite the original files, causing the target software not to load automatically when the phone boots.

===========================================================

Locknut.B found

Helsinki, Finland - March 18, 2005

F-Secure’s viruslab got a sample of the Locknut.B trojan on Friday, March 18, 2005. Locknut.B disables phones allowing them only to be disinfected with a special disinfection tool. F-Secure Mobile Anti-Virus detects the trojan, so it is not a threat to our antivirus software users.

When installed, Locknut.B drops a binary that crashes phone’s critical system component. By crashing the component, it prevents phone’s applications being launched. So the trojan effectively locks the phone.

The Locknut.B also drops a copy of Cabir.V into the device. Cabir.V is not able to start automatically and is harmless as the Locknut.B disables all applications on the infected phone.

==========================================================

NAME: Drever.C

ALIAS: SymbOS/Drever.C

Drever.C is a malicious SIS file trojan that attacks bootloader files of several mobile Anti-Virus programs, and tries to attack F-Secure Mobile Anti-Virus by overwriting its files.

The Drever.C attacks bootloader files of Kaspersky, Simworks and F-Secure Symbian Anti-Virus products.

In addition of trying to overwrite the bootloaders, the Drever.C will also try to cripple F-Secure Mobile Anti-Virus by replacing it's binaries with corrupted ones.

However as F-Secure Mobile Anti-Virus contains protection against any modification attempts of its own files, both attacks will fail when Anti-Virus is in realtime scan mode as it is by default.

If the F-Secure Mobile Anti-Virus is switched off, or in manual scan mode, which is basically same as switched off. The attack will damage Anti-Virus, but user can recover easily by re-installing Anti-Virus.

Disinfection

Drever.C can be disinfected easily by using F-Secure Mobile Anti-Virus available from http://www.f-secure.com/estore/avmobile.shtml

Or you can uninstall it by uninstalling the SIS file in which Drever.C was installed from using application manager

1. Open the application manager

2. Uninstall New_bases_and_cr@ck_for_antiviruses.sis

3. Re-install your Anti-Virus

Payload

When Drever SIS file is installed to the system it try to replace the bootloader files used by Kaspersky, Simworks and F-Secure Symbian Anti-Virus products with corrupted versions. In addition of bootloader files the Drever.C will also install corrupted binaries or F-Secure Mobile Anti-Virus and corrupted licence file of Simworks Anti-Virus.

If the device has F-Secure Mobile Anti-Virus with updated databases, the Drever.C will be detected before it can be installed. If the device does not have up to date databases, the install will still fail as attempt to overwrite F-Secure Anti-Virus files will crash the application installer, thus terminating the installation of Drever.C

The files are corrupted by manually editing them and writing text '123' into random locations in the files.

Some of the edited files contain strings intended as messages to AV vendors:

FSECURE MUST DIE!!!!!!

Please, don't make new antiviruses for my viruses and I stop make

viruses for your antiviruses. My target is Simworks!

=)

Spreading in New_bases_and_cr@ck_for_antiviruses.sis

Χαζομαρα δεν εκανες γιατι μπορεις να τα ξαναβαλεις αλλα δεν χρειαζοτανε γιατι πιστοποιητικο εχουν ελαχιστες εφαρμογες εκτος και αν τις εχεις αγορασει. ;)

Καλησπέρα,

Σήμερα καθόμουν κάπου στο κέντρο τις πόλης και κατα λάθος (ειλικρινά, ενώ έχω ανοιχτό το bt δεν δέχομαι αρχεία) πάτησα αποδοχή σε ένα αρχείο που απο οτι μου είπε ήταν multimedia (mms?)...δεν πρόλαβε να γίνει τίποτα, ούτε εγκατάσταση ούτε τίποτα (το σταμάτησα :confused: )αλλά για καλό και κακό έκανα ένα format το κινητό και ξαναπέρασα ένα παλιό backup που είχα στο κινητό.

Δυστηχώς δεν θα "κοιμηθώ" ήσυχος αν δεν κάνω και ένα scan στο κινητό. :w00t: :blink:

Οπότε αν υπάρχει κανένα link για 3650 antivirus (κατα προτίμηση free) θα σας ήμουν υπόχρεως. Το Symantec που είναι 600k και βάλε, δεν το κάνει εγκατάσταση. Αλήθεια, πως μπορώ να δω τι "τρέχει" στην μνήμη το κινητό ;

Thanks.

Δοκιμασε τα

http://www.f-secure.com/tools/f-cabir.sis (Removal tool for Cabir (Caribe) worm for S60 devices)

http://www.f-secure.com/tools/f-skulls.sis (Removal tool for Skulls trojans for S60 devices)

http://www.f-secure.com/tools/f-locknut.sis (Removal tool for Locknut.A trojan for S60 devices)

η το δοκιμαστικο προγραμμα F-Secure Mobile Anti-Virus

http://mobile.f-secure.com/fsc/retail/

http://mobile.f-secure.com/downloads.html

Δοκιμασε τα

http://www.f-secure.com/tools/f-cabir.sis (Removal tool for Cabir (Caribe) worm for S60 devices)

http://www.f-secure.com/tools/f-skulls.sis (Removal tool for Skulls trojans for S60 devices)

http://www.f-secure.com/tools/f-locknut.sis (Removal tool for Locknut.A trojan for S60 devices)

 

η το δοκιμαστικο προγραμμα F-Secure Mobile Anti-Virus

http://mobile.f-secure.com/fsc/retail/

 

http://mobile.f-secure.com/downloads.html

Δεν φαντάζομαι να ήταν κανένα απο αυτά, δεν πρόλαβε καν να έρθει το αρχείο...δεν έγινε κάτι εγκατάστασει. Ίσως όταν προσπάθησα να κάνω εγκατάσταση το antivirus και δεν τα κατάφερε λόγω μνήμης, να μου άρχισε τα προβλήματα. Εντάξει, άσχετος απο symbian είμαι αν κάνω κάτι λάθος...σόρυ. :X :O

Παντως απο την στιγμη που δεν εκανες εγκατασταση το αρχειο που σου ηρθε δεν εχεις κανενα απολυτως προβλημα... ;)

Έτσι νομίζω και εγώ, καλού-κακού έγινε και το format για καθαρά προληπτικούς λόγους :blink: (λόγω σύνδεσης και οχι κάρτοκινητού όπως παλιά).

Θα δείξει :X ...πάντως απο την εταιρία μου είπαν οτι για οποιαδήποτε παράξενη αλλαγή στο πάγιο (διπλασιασμό, τριπλασιασμό κτλ) σε ενημερώνουν για να το έχεις υπόψην σου και να κάνεις τις ανάλογες αλλαγές.

;)

Aκομα ενας νεος ιος

SymbOS.Mabir

SymbOS.Mabir is a worm that propagates through Bluetooth and MMS. The worm runs on the Symbian OS, which is used as the operating system for Nokia Series 60 cellular telephones.

Once executed, SymbOS.Mabir performs the following actions:

1. Creates the following files on the device:

* \SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.APP

* \SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.RSC

* \SYSTEM\RECOGS\FLO.MDL

* \SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\CARIBE.SIS

* \SYSTEM\SYMBIANSECUREDATA\CARIBESECURITYMANAGER\INFO.SIS

2. Sends MMS messages to the phone numbers of previously received MMS messages. The worm includes a copy of itself as an attachment.

3. Scans for other Bluetooth-enabled devices to send itself to. The worm will attempt to send itself to any Bluetooth devices found.

4. Executes every time the compromised device is powered off and powered back on.

http://securityresponse.symantec.com/avcenter/venc/data/symbos.mabir.html

Διαβάστε περισσότερα στο [thread=65290]νέο της κεντρικής σελίδας[/thread]

NEW SymbOS.Fontal.A

Spreading in Kill Saddam By OID500.sis

Fontal.A is a SIS file trojan that installs corrupted Font file into infected device, thus causing the device to fail at next reboot.

If a phone is infected with Fontal.A, it must not be rebooted as the trojan will prevent the phone from booting again. If the phone is rebooted, it will try to boot, but will be forever stuck on phone startup and cannot be used.

In addition of installing the corrupted font file the Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.

http://www.f-secure.com/v-descs/fontal_a.shtml

http://securityresponse.symantec.com/avcenter/venc/data/symbos.fontal.a.html#technicaldetails

NEW SymbOS.Fontal.A

^^^

Κακοοο......!

Το 6600 με το φορμάτ των πλήκτρων θα σώζεται λογικά. (Ποιά άλλα S60 έχουν αυτόν τον τρόπο φορμάτ;)

Ολα απο Symbian 7.0 και μετα. ;)

Που μπορούμε να βρούμε το Antivirus της Symantec Security με cr@kc;

Aν γνωρίζει κανείς ας δώσει ένα link για να το κατεβάσουμε.

Eυχαριστώ.

A new Symbian trojan Hobbes.A detected

Helsinki, Finland - April 14, 2005

Hobbes.A is a SIS file trojan that looks like the Symantec Anti-Virus for Symbian phones. When the trojan is installed, it shows a dialog instructing the user to reboot the phone in order to activate the Symantec Anti-Virus software. The trojan does not contain any antivirus software but a component that disables the phone's application menu.

The trojan has been tested in different phones and it seems to affect only older Symbian Series 60 phones such as NGage and 3650.

Any user who installs the trojan should not reboot the phone. Instead they should uninstall the file with Application Manager.

Disinfection if user has not rebooted the phone

1. Uninstall the Symantec.sis using application manager
   

Disinfection is user has rebooted the phone

1. Remove memory card from the phone and boot it again
   
2. Install some file manager on the phone
   
3. Go to the memory card and delete file \system\recogs\recAutoExec.mdl
   
4. Uninstall the Symantec.sis using application manager
   

Installation to system

When installed to the system the Hobbes.A installs corrupted version of FExplorer trying to disable FExplorer file manager, but fails as it installs it into incorrect directory.

Hobbes.A also installs several recognizer components to C: and E: drives, one of the components is a corrupted version of legitimate application which is missing it's other components and thus crashing on boot on older Symbian versions.

Spreading in

Symantec.SIS

Payload

Crashes the operating system application loading mechanism on reboot. Thus preventing applications menu or other programs from starting.

Περισσοτερα ΕΔΩ .