Antivirus companies report first mobile messaging worm

CommWarrior, a new mobile phone virus, becomes the first threat to spread over Mobile Messaging Service.

The first mobile phone virus that spreads using the popular Mobile Messaging Service (MMS) is circulating among mobile phone users with Symbian Series 60 mobile phones, antivirus companies have warned.

Antivirus vendors first spotted the new virus, dubbed CommWarrior.A, on Monday. When opened, it places copies of itself on vulnerable mobile phones and uses the phone's address book to send copies of itself to the owner's contacts using MMS. Antivirus experts believe CommWarrior, which has been spreading slowly among cell phone users since January, is not a serious threat. However, the virus could herald a new age of malicious and fast-spreading cell phone threats, according to Mikko Hypponen of F-Secure.

MMS is a popular text messaging technology that is closely related to SMS (Short Message System), but allows mobile phone users to send multimedia content, such as sound files or photos, between MMS compliant mobile phones. The technology is popular, especially outside of the U.S. where phone users have widely adopted newer-generation cell phones that support multimedia features and MMS messaging, Hypponen said.

"My kids use it all the time to send messages, or photos," said Hypponen, who lives in Helsinki.

CommWarrior uses MMS to spread copies of itself to phone numbers stored in the address book of phones it infects. Victims receive MMS messages with file attachments that contain the CommWarrior virus. The messages contain enticing messages such as "3DGame from me. it is FREE!" and "Nokia RingtoneManager for all models," F-Secure said.

When victims open the attached virus file, CommWarrior is installed on the phone and begins randomly sending MMS messages with copies of itself to numbers in the phone book. Complicating matters, CommWarrior can also spread between phones using Bluetooth wireless connections, said Victor Kouznetsov, senior vice president of mobile solutions and McAfee.

Those who do get infected with CommWarrior can easily shut the virus down by pressing and holding the menu button on their cell phone, then selecting the CommWarrior from the list of applications that appears and pressing the "C," or "Clear" button, Kouznetsov said. Once the virus is disabled, mobile phone owners can use file management tools on the phone to locate and remove the virus files.

F-Secure and McAfee both posted bulletins listing the folders where the CommWarrior virus is installed on infected phones.

F-Secure first identified the CommWarrior on Monday. However, a search of the Internet revealed news group messages from Nokia Corp. customers who complained about CommWarrior infections as early as January.

"I need help. I have a very strange problem with my nokia 6600. It tries send MMS automatically to my contacts (Randomly) that I have in my phone book," reads one message, posted January 23, that goes on to verify a commwarrior.exe infection.

A copy of the virus posted on a Web page is dated Jan. 1, and claims to work on the common Nokia Series 60 phones. That could include more than 10 million phones worldwide, but it's doubtful that CommWarrior, as currently written, could infect anywhere near that number, said Kouznetsov.

"It still relies on social engineering and user interaction to spread," he said. Even when users do click to open the CommWarrior attachment, a series of warning messages appear before the virus is actually installed, he said.

F-Secure is testing the sample of CommWarrior. However, the virus is difficult to test. Its ability to spread via wireless and MMS messages makes containment hard, Hypponen said.

Mobile phone viruses are a recent development, but could be a major threat in years to come, as mobile devices become more powerful, according to Hypponen and others.

Cabir, the first known mobile virus, spreads on phones running the Symbian operating system and are equipped with Bluetooth wireless connections, including Series 60 phones from a number of manufacturers, such as Siemens, Nokia and others. The virus first appeared last June as a "proof of concept" released by virus writing group 29a.

In August 2004 the first Cabir infections were first reported in the Philippines. Since then, the virus spread from to Singapore, the United Arab Emirates, China, India and 12 other countries. The first Cabir infections in the U.S. were reported in February.

Cabir can only spread using Bluetooth wireless connections, and requires physical proximity to a vulnerable phone, as well as user interaction to infect phones. Both those factors have limited its spread. MMS and SMS are believed to be better avenues for spreading viruses, because a single infected phone can rapidly send copies of a virus to all of a user's contacts, Hypponen said.

F-Secure, which sells antivirus software for mobile devices, developed an antivirus signature that can detect and block CommWarrior. Company researchers are is still studying the behavior of the virus, Hypponen said.

Mobile phone users with phones that use the Symbian Series 60 operating system are advised not to open unexpected attachments to MMS messages, he said.