Commwarrior.Q a.k.a "Matrix Commwarrior"When the Commwarrior.Q SIS file is installed, it will drop the its executable with a random name, for example 5k8jb1fo.exe, either into C:\ or to a directory that has a random name such as C:\uqxo5dh7xtyc5.
InstallationWhen the Commwarrior.Q executable is executed it will copy itself to C:\System\Libs\cw.exe and will create a bootstrap file to C:\System\Recogs\cw3rec.mdl. If a memory card is present then the same files are created also to the memory card.
Replacing operator logo
Commwarrior.Q creates a bitmap file with the name used by the current operator into C:\system\Apps\Phone\oplogo\
This bitmap file is then shown instead of the operator logo when the phone is on the network.
Generating SIS installation packages to send to other devices
Commwarrior.Q replicates in SIS installation packages over Bluetooth and MMS in same manner as previous variants.
SIS files created by Commwarrior.Q have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.
A Commwarrior.Q SIS file contains the worm main that has random name and is either in C:\ or randomly named directory.
SIS files created by Commwarrior.Q have a random size between 32100 and 32200 bytes.
Unlike previous variants of Commwarrior, Commwarrior.Q does not use a static product name that is shown during installation.
Previous variants always showed the same name, thus making them easy to identify. The Commwarrior.Q contains an internal list of
strings that is used to generate random, but plausible looking filenames.
The filenames are composed of three component string arrays that are stored in the main binary in obfuscated form.
The string arrays are:
smart,nokia,symbian,nice,fatal,cool,c00l,virtual,f inal,safe,
abstract,static,zend,jedi,trend,micro,mega,hard,ni ce,good,lost
www,web,wap,e-mail,mail,game,graphics,java,hood,------,max,
audio,memory,RAM,ROM,HDD,WinAmp,jedi,hardware,disp lay,keyboard,key
antivirus,anti-virus,guard,--------er,hacker,cracker,checker,driver,m anager,uninstaller,
remover,engine,tool,machine,box,stuff,videoplayer, player,trust,ringtone,
explorer,timer,game,AppMan,recorder,dictaphone,tea m,images,calculator,objects,documents,clips,docs
Replication over Bluetooth
Comwarrior.Q replicates over Bluetooth in SIS files that have a random name, for example, anyrah5y.sis or xyr88b0muh7.sis.
The SIS file contains the worm main that has a random name and is either in C:\ or randomly named directory.
The SIS file contains autostart settings that will automatically execute Commwarrior.Q after the SIS file is installed.
When Comwarrior worm is activated it will start looking for other bluetooth devices, and send a copy of itself to each of these phones
targeting several phones at one attempt.
If a target phone goes out of range or rejects file transfer, commwarrior will search for another phone.
The replication mechanism of Comwarrior is different than in Cabir. The Cabir worm locks into one phone as long as it is in range, and
depending on the variant will either look another variant after losing contact or stay locked.
The Comwarrior worm will constantly look for new targets, thus it is able to contact all phones in range.
Replication over MMS
Commwarrior.Q uses three strategies for spreading over MMS messages.
First, when Commwarrior.Q starts, it starts to go through the phone's address book and sends MMS messages to phone numbers that are marked as a mobile phone.
Commwarrior.Q listens on any arriving MMS or SMS messages and replies to those messages with an MMS message containing the Commwarrior.Q SIS file.
The worm also listens for any SMS messages being sent by the user and sends an MMS message to the same number, right after the SMS message.
The texts in MMS messages sent by Commwarrior.Q contain texts that are stored in the phone Messaging Inbox, thus the messages that Commwarrior.Q sends are texts that the receiving user might expect from the sender.
Displaying HTML Page
After Commwarrior.Q has infected the phone it will, after a random delay, create an HTML page that it will display itself to the user using the phone's default browser. The HTML page is created into directory C:\system\Libs\cwinfo.html
Replication to MMC Card
Commwarrior.Q "listens" for any MMC cards to be inserted into the infected phone, and copies itself to the inserted card. The infected card contains both the Commwarrior executable and the bootstrap component, so that if the infected card is inserted into another phone it will also be infected.
Replication by infecting other SIS files
Commwarrior.Q searches the device C: drive and memory cards for SIS installation files, and will infect all SIS files that it finds. The infected SIS files will be wrapped by Commwarrior.Q so that if the user installs the infected SIS file, Commwarrior.Q will install first followed by the original application.
Infected SIS file will retain the orignal product name so that user will not notice that the SIS package is infected with Commwarrior.Q when installing it.
Removal Steps:Kill Commwarrior Process
1. Install a third-party file manager. For example FExplorer
2. Start FExplorer
3. Select and copy any file to clipboard
* Navigate file system with navigation button. Press right to enter directory, left to leave directory.
* Select C: and press right, select system and press right
* Select any file from c:\system such as backup.xml
* Select Edit/Copy from menu
4. Copy the file to E:\system\temp
* Press left until you are at filesystem selection screen
* Select E: and press right
* Select System and press right, and then temp and press right
* Select Edit/Paste from menu
5. Rename the file to noboot
* Select File/Rename from menu
* Rename the copied file to noboot
6. Reboot the phone
Install F-Secure Mobile Anti-Virus to finish cleaning up your phone
Download the file and select open after download
Install F-Secure Mobile Anti-Virus
Go to Applications Menu and start Anti-Virus
Activate Anti-Virus and scan all files
