To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39128457,00.htm

Nokia phones targeted by Trojan
CommWarrior spreads via MMS messages

By Matt Hines

Published: Tuesday 08 March 2005

Antivirus researchers are investigating a new Trojan horse that could prove to be a more pervasive threat to mobile phones than Cabir.

The malicious software, dubbed "CommWarrior" and described as a virus by some antivirus companies, takes aim at the version of the Symbian operating system running on Nokia Series 60 handsets. F-Secure, SimWorks International and other security providers issued reports about the threat on Monday.

CommWarrior attempts to spread by sending messages via Bluetooth wireless connections and Multimedia Message Service — different from the Cabir virus, which only used Bluetooth to proliferate.

While many modern phones are capable of sending MMS messages CommWarrior only affects Nokia Series 60 phones.

CommWarrior has a greater reach than viruses that spread using the short-range Bluetooth technology and so could be forwarded more rapidly, researchers said.

Mikko Hyppönen, antivirus research director at Finland-based F-Secure, said: "At its best replication speed, Cabir can only spread as quickly as planes fly. But MMS viruses are more comparable to email worms like Bagle, MyDoom, Sobig and others. An MMS threat can travel around the world in hours, so in that regard, it's much more dangerous."

A representative for UK-based Symbian said the company is aware of the problem and researching the threat with Nokia and its security partners. Nokia could not be immediately reached for comment.

CommWarrior infects the telephone directory software in the Nokia handsets. It randomly selects one directory profile at a time and sends a copy of itself to that person. It can be sent to any kind of wireless gadget or computer, but if that device does not run the Symbian Series 60 software, it will not be infected. A recipient also has to accept and download CommWarrior in order for the Trojan to launch itself.

The Trojan uses more than 20 different messages to try to lure users into opening its file, including text designed to look like legitimate software updates from Symbian, or even pornographic photographs.

CommWarrior has been seen in the wild since the beginning of this year, Hyppönen said. An element of the program that causes it to sleep for an undetermined period of time before attempting to spread itself may have helped slow its distribution, he said.

Researchers have noted two versions of the threat thus far, with the only major difference in the strains being the overall file size. Hyppönen said there is some Russian-language text hidden inside the files, a clue that the threat may have been developed in that region.

An individual claiming responsibility for creating the threat has made it available for download via a website. The site offers no further information about the purported writer of the Trojan.

Based on a lack of consumer reports on the attack, researchers believe that CommWarrior has yet to infect a large number of devices. One reason for the relative dearth of infections may be that the Trojan is trying to send itself to large numbers of landline phones, as it cannot differentiate between mobile and traditional phone numbers.

Matt Hines writes for CNET News.com.