This application requires Javascript for optimal performance.

Dial/Pornidal!SymbOS - Released Oct 01, 2009 - Last Updated Oct 02, 2009

Alias/es

not-a-virus:Porn-Dialer.SymbOS.Pornidal.a

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • an application named iPornPlayer is installed
  • the phone automatically calls distant phone numbers, at end-user's expense

Detailed Analysis

This dialer gives access to porn images located on youth6.net. The billing consists in having the phone automatically call a few distant phone numbers, at user's expense.
This application has been classified as a dialer because:
  1. As it is related to pornography, system administrators may wish to restrict its usage on their network.
  2. The billing is unclear. End-users do not know how much they will pay to access the images or videos. This can easily lead to abuses
  3. The phone numbers the application calls can (quite) easily be modified. This could potentially have the phone establish long-distance calls or premium numbers, with a high bill at the end.

The website hxxp://youth6.net contains sexually explicit material. However, this material is not directly available from this URL. Instead, the end-user must install a Symbian OS application, named iPornPlayer.
The application runs on Symbian OS 7 and 8. It installs as any legitimate application. After installation, the application's icon is listed on the end-user's phone.

The application drops the following files on the phone:
  • c:\system\apps\sexyvideo\sexyvideo.rsc
  • c:\system\apps\sexyvideo\sexyvideo.app
  • c:\system\programs\fulllengthviewer.exe: this is the main executable of the malware.
  • !:\system\recogs\ezrecog.mdl: this file is installed on the drive specified by the end-user upon installation. It ensures the application restarts after a reboot.
  • terms0.txt: terms and conditions

When the end-user opens the iPornPlayer, the application launches a web browser and contacts URLs such as
  • hxxp://youth6.net/enter.php?n=AN-INTEGER&k=...
  • hxxp://youth6.net/newdl.php?k=...
  • hxxp://youth6.net/numb.kvx?id=320&mod=...
The first two URLs are used to get access to the sexually explicit material, whereas the last one retrieves a list of phone numbers the application should call.
The website replies with an encoded stream that the dialer decrypts with the encryption algorithm stored in \system\apps\cipher\cipher.enc.

As stated in the Terms and Conditions, the dialer charges the end-user for content he/she views by having the application call phone numbers:

"Users get immediate unlimited access to the site youth6.net and are billed each month within the subscription period. The access is billed by calls made to an international destination. The application will try to call destinations which is the most inexpensive for the subscriber (based on the subscriber's country of origin), but are not in any matter obligated to do so. You agree to let the application make these calls to pay for the access fee when due according to these billing terms. Total call duration for unlimited access may vary from ten minutes to four hundred minutes per entry, depending on subscribers country of origin and available international destination. Subscriber's final cost of the calls may vary depending on the mobile operator, international rates may apply."

The dialer contains a first set of hard-coded phone numbers it calls. This list is then updated whenever the dialer contacts the web server, with a different set each time (depending on provided parameters - see id and mod URLs above).

It must be noted that the dialer actually calls phone numbers (including international numbers). It does not send SMS or MMS messages.

Recommended Action

Remove the dialer from the phone's application manager to uninstall.

Reference: ID - 1049390