This application requires Javascript for optimal performance.

SymbOS/Yxes.D!worm - Released Feb 19, 2009 - Last Updated Jun 09, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The repeated attempts by the worm to send SMS messages may yield:

    • Rapid battery power loss
    • Abnormally high phone bills

  • Presence of the following files:

    • c:\sys\bin\BootHelper.exe
    • c:\private\101f875a\import\[20017741].rsc

Detailed Analysis

This worm is a variant of SymbOS/Yxes.A!worm, with which it shares many functionalities.

  • It is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to run on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and as such, installs flawlessly on "normal" (i.e. not "cracked") mobile devices running S60 3rd Edition.

  • It harvests phone numbers from the infected device's contact list, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (aka a URL); upon "clicking" on this address in the received message, the recipients will effectively download a copy of the worm (provided their phones/subscriptions allow for internet browsing).

  • Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (serial number of the phone, subscription number...) and post it to a malicious server likely controlled by cybercriminals.


    • Technical details

  • Upon loading, attempts to execute files listed in the file C:\bh.txt. If this files does not exist, the worm creates it and writes the entry "C:\sys\bin\CallMasterD.exe;" into it. CallMasterD.exe  is a component of a free application embedding a personal IVR (Interactive Voice Response).

  • Kills the following processes:
    • AppMngr
    • TaskSpy
    • Y-Tasks
  • Ceates a .SISX file (signed Symbian installation file) named Download.sisx  in the C:\  folder.

  • Modifies the file C:\system\data\prg.ini.

  • Creates a log file named bh.log.

  • Tries to create and modify the following files, located in the !:\private\20017741\  folder:
    • bs.txt
    • CmdSerialNumber.txt
    • SelfNumber.txt
    • AvailableIndex.txt
  • Attempts to silently connect to the Internet.

  • Attempts to collect the following information from the infected system:
    • IMEI
    • IMSI
    • Phone type
    • Phone number
    • Version
  • Posts the information collected above to a web server via HTTP.

  • Collects phone numbers from the device's contact list.

  • Attempts to send SMS messages to the list of numbers collected above; the messages feature a malicious internet link to a copy of the worm.

  • Registers itself to load upon system restart.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 755618