| Alias/es | Worm:SymbOS/Yxe (F-Secure) |
| Release Date | Feb 19, 2009 |
| Detection Availability | Current Antivirus Definition Database Version: 11.589 | | Description | Visible Symptoms
- The repeated attempts by the worm to send SMS messages may yield:
- Rapid battery power loss
- Abnormally high phone bills
- Presence of the following file:
- C:\sys\bin\Transmitter.exe
Detailed AnalysisThis worm is a variant of SymbOS/Yxes.A!worm, with which it shares some functionalities.
It is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to run on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and as such, installs flawlessly on "normal" (i.e. not "cracked") mobile devices running S60 3rd Edition.
It harvests phone numbers from the infected device's contact list, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (aka a URL); upon "clicking" on this address in the received message, the recipients will effectively download a copy of the worm (provided their phones/subscriptions allow for internet browsing).
Creates a global semaphore named TransmitterSemaphore_0x2001EB41.
Creates and/or modifies the following files:
- C:\system\data\prg.ini
- C:\private\2001EB41\prg.ini
- C:\private\2001EB41\state.txt
- C:\private\2001EB41\NumberFile.txt
- C:\private\2001EB41\TipFile.txt
- C:\private\2001EB41\PropertyFile.txt
- C:\private\2001EB41\NumberIndex.txt
- C:\private\2001EB41\IniNumberIndex.txt
Attempts to silently connect to the Internet.
Collects phone numbers from the device's contact list.
Attempts to send SMS messages to the list of numbers collected above; the messages feature a malicious internet link to a copy of the worm.
|
Description Last Updated Date: Aug 28, 2009
Reference: ID - 755619
|