Worm:SymbOS/Corrior.A!ezboot is a worm that affects mobile devices running the Symbian operating system (SymbOS) operating system, that may arrive in a device through Bluetooth.
Installation
Worm:SymbOS/Corrior.A!ezboot may arrive in the device via Bluetooth. It may arrive as a SIS file with a random file name, or as an MMS with any of the following details:
Subject: Norton AntiVirus
Message: Released now for mobile, install it!
Subject: Dr.Web
Message: New Dr.Web antivirus for Symbian OS. Try it!
Subject: MatrixRemover
Message: Matrix has you. Remove matrix!
Subject: 3DGame
Message: 3DGame from me. It is FREE !
Subject: MS-DOS
Message: MS-DOS emulator for SymbvianOS. Nokia series 60 only. Try it!
Subject: PocketPCemu
Message: PocketPC *REAL* emulator for Symbvian OS! Nokia only.
Subject: Nokia ringtoner
Message: Nokia RingtoneManager for all models.
Subject: Security update #12
Message: Significant security update. See www.symbian.com
Subject: Display driver
Message: Real True Color mobile display driver!
Subject: Audio driver
Message: Live3D driver with polyphonic virtual speakers!
Subject: Symbian security update
Message: See security news at www.symbian.com
Subject: SymbianOS update
Message: OS service pack #1 from Symbian inc.
Subject: Happy Birthday!
Message: Happy Birthday! It is present for you!
Subject: Free SEX!
Message: Free *SEX* software for you!
Subject: Virtual SEX
Message: Virtual SEX mobile engine from Russian hackers!
Subject: Porno images
Message: Porno images collection with nice viewer!
Subject: Internet Accelerator
Message: Internet accelerator, SSL security update #7.
Subject: WWW Cracker
Message: Helps to *CRACK* WWW sites like hotmail.com
Subject: Internet Cracker
Message: It is *EASY* to *CRACK* provider accounts!
Subject: PowerSave Inspector
Message: Save you battery and *MONEY*!
Subject: 3DNow!
Message: 3DNow!(tm) mobile emulator for *GAMES*.
Subject: Desktop manager
Message: Official Symbian desctop manager.
Subject: CheckDisk
Message: *FREE* CheckDisk for SymbianOS released!MobiComm
It may drop the following files:
C:\System\updates\commrec.mdl - detected as Worm:SymbOS/Corrior.A!ezboot
C:\System\apps\commwarrior\commwarrior.exe
C:\System\apps\commwarrior\commrec.mdl
C:\System\recogs\commrec.mdl
C:\System\updates\commw.sis
Spreads via...
Memory cards
If a memory card is present in the device, Worm:SymbOS/Corrior.A!ezboot may copy itself and another malware in it as the following:
<drive>:\System\apps\CommWarrior\commrec.mdl - detected as Worm:SymbOS/Corrior.A!ezboot
When the device boots up, commrec.mdl loads commwarrior.exe.
Payload
Drops and runs other malware
Worm:SymbOS/Corrior.A!ezboot drops and runs another malware, detected as Worm:SymbOS/Corrior.B, as specified in the Installation and Spreads via... sections.
Analysis by Andrei Florin Saygo
