This application requires Javascript for optimal performance.

SymbOS/Beauty.A!worm - Released Feb 08, 2009 - Last Updated Jun 09, 2009

Alias/es

Worm.SymbOS.Yxe.b (Kaspersky,F-secure)

Visible Symptoms

  • The repeated attempts by the worm to send SMS messages may yield:

    • Rapid battery power loss
    • Abnormally high phone bills

  • Presence of the following files :
    • c:\sys\bin\EConServer.exe
    c:\private\101f875a\import\[2001EB45].rsc

Detailed Analysis

  • This worm is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices; for instance, it has been successfully tested on Nokia N95 (S60 3rd edition FP 1). Surprisingly, it bears a valid certificate signed by Symbian, and as such, installs flawlessly on "normal" (i.e. not "cracked") S60 3rd edition devices.

  • It harvests phone numbers from the infected device's contact list, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (aka a URL); upon "clicking" on this address in the received message, the recipients will effectively download a copy of the worm (provided their phones/subscriptions allow for internet browsing).

  • Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (serial number of the phone, subscription number...) and post it to a malicious server likely controlled by cybercriminals.

Technical details
  • Creates a global semaphore named EConServerSemaphore_0x2001EB45.

  • Kills the following processes:

    • AppMngr
    • TaskSpy
    • Y-Tasks
    • ActiveFile
    • TaskMan

  • Ceates a .SISX file (signed Symbian installation file) named root.sisx  in the C:\Data  folder.

  • Modifies the file C:\system\data\System.ini.

  • Creates a log file named mr.log.

  • Attempts to silently connect to the Internet.

  • Attempts to collect the following information from the infected system:

    • IMEI
    • IMSI
    • Phone type
    • Phone number
    • Version

  • Posts the information collected above to a web server via HTTP.

  • Collects phone numbers from the device's contact list.

  • Attempts to send SMS messages to the list of numbers collected above; the messages feature a malicious internet link to a copy of the worm.

  • Registers itself to load upon system restart.


Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 729093