Mobile worm variant causes alarm

Mobile phone malware writers are up to no good again. A security vendor has detected a new variant of an aggressive Russian mobile worm that uses some alarming new tricks.

Like its earlier relatives, Commwarrior.Q will jump onto another phone using a short-range Bluetooth wireless connection, said F-Secure Corp., an antivirus company based in Helsinki. It also spreads via MMS (multimedia messaging service) or by an infected memory card inserted into a device.

Commwarrior.Q is not spreading widely. But the worm has new traits that make it particularly aggressive and it appears to be one of the most complex pieces of mobile malware created to date, said Antti Vihavainen, vice president of mobile security for F-Secure, which has issued an advisory.

Commwarrior.Q will continuously send MMS messages from midnight to 7 a.m. to people in an infected phone's address book. It cleverly assembles a text message from the phone's "sent" file, making it appear legitimate, Vihavainen said.

After 7 a.m., however, Commwarrior.Q stops that action, as it would be noticeable to the user. It then starts scanning other phones to infect via Bluetooth.

Commwarrior.Q will infect any Symbian OS application installation files, called SIS files. Unlike its predecessors, the SIS files that Commwarrior.Q infects take on random names, making them harder to identify. Previous versions of Commwarrior used the same file name, F-Secure said.

The SIS files also range in size from 32,100 to 32,200 bytes, making them hard to distinguish from MMS messages if mobile operators wanted to filter them out of their networks, Vihavainen said.

Commwarrior.Q can't automatically infect a phone, however, Vihavainen said. A user will be prompted if they receive an infected SIS file, and they have to accept the file. Users also get another security prompt. After that, however, Commwarrior.Q will start running.

F-Secure has notified mobile operators of the worm, Vihavainen said. Operators could potentially filter out all transfers of SIS files between phones, but that would reduce functionality, he said.

Commwarrior.Q affects Symbian Series 60 phones that use Symbian OS version 8.1 or older, F-Secure said.

Users may eventually know if they are infected, as Commwarrior.Q intermittently displays an HTML (Hypertext Markup Language) page with text that says, in part, "No panic please, is it very interesting to have mobile virus at own phone."

Commwarrior was first seen in 2005, and several variants have been detected. One version, Commwarrior.B, send continuous MMSes, draining the phone battery unbeknownst to users. When charged, the phone won't reboot.

Commwarrior.Q does not damage data on a phone, Vihavainen said. But a user could incur high phone charges caused by the worm sending messages during the night, he said.

Mobile malware is not widespread but researchers say it could become more prevalent as people use more complex mobile devices.