This application requires Javascript for optimal performance.

SymbOS/Yxes.C!worm - Released Feb 19, 2009 - Last Updated Jun 09, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The repeated attempts by the worm to send SMS messages may yield:

    • Rapid battery power loss
    • Abnormally high phone bills

  • Presence of the following file:

    • C:\sys\bin\Transmitter.exe

Detailed Analysis

This worm is a variant of SymbOS/Yxes.A!worm, with which it shares some functionalities.

  • It is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to run on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and as such, installs flawlessly on "normal" (i.e. not "cracked") mobile devices running S60 3rd Edition.

  • It harvests phone numbers from the infected device's contact list, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (aka a URL); upon "clicking" on this address in the received message, the recipients will effectively download a copy of the worm (provided their phones/subscriptions allow for internet browsing).


    • Technical details

  • Creates a global semaphore named TranmitterSemaphore_0x2001EB41.

  • Creates and/or modifies the following files:
    • C:\system\data\prg.ini
    • C:\private\2001EB41\prg.ini
    • C:\private\2001EB41\state.txt
    • C:\private\2001EB41\NumberFile.txt
    • C:\private\2001EB41\TipFile.txt
    • C:\private\2001EB41\PropertyFile.txt
    • C:\private\2001EB41\NumberIndex.txt
    • C:\private\2001EB41\IniNumberIndex.txt
  • Attempts to silently connect to the Internet.

  • Collects phone numbers from the device's contact list.

  • Attempts to send SMS messages to the list of numbers collected above; the messages feature a malicious internet link to a copy of the worm.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 755619