SymbOS/Yxes.E!worm

Alias/esWorm:SymbOS/Yxe.gen, SymbOS.Exy.C (Symantec)
Release DateJul 09, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.584
Description

Visible Symptoms

The repeated attempts by the worm to send SMS messages may yield:
  • abnormally high bill
  • rapid battery power loss

Presence of the following files:
  • c:\sys\bin\AcsServer.exe or c:\sys\bin\MainSrv2.exe
  • c:\sys\bin\Installer_0x20026CA6.exe or c:\sys\bin\Installer_0x20026CAA.exe

Detailed Analysis

SymbOS/Yxes.E!worm is classified as Symbian Worm. It spreads on phones with Symbian OS 9 or later. It attempts to send SMS messages and connect to the Internet. Some versions fake legitimate applications (trojanized application).
This worm is a variant of SymbOS/Yxes.A!worm, with which it shares several functionalities.
  • it bears a valid certificate, issued by the Symbian Certificate Authority, and installs flawlessly on "normal" (i.e. not "cracked") mobile devices under the application name "Sexy Space". Note however this certificate has now been revoked.
  • it does not come with any menu or icon, so the end-user does not have any way to interact with it (apart from listing or uninstalling it from the Application Manager).
  • it attempts to send SMS messages to harvested phone numbers from the infected device's SMS inbox. The messages contain a malicious web address (aka a URL), so that the recipient downloads and installs a copy of the worm from that address (provided their phones/subscriptions allow for internet browsing).
  • it gathers intelligence on the infected victim (serial number of the phone, subscription number...)
  • it searches for and kills Y-Tasks, TaskSpy, ActiveFile and AppMgr.

It also shares several technical aspects of Yxes.A:
  • it creates a semaphore to make sure only one instance of the malware is running. The semaphore is named EConServerSemaphore_0x2026GA5.
  • it parses Internet Access Providers configured on the device and lists operational providers for outgoing Internet traffic
  • it parses SMS messages in the device's global inbox (without erasing them) and, in particular, look for case-insensitive string 'olpx', possibly followed by a D or a K.
  • it collects the IMEI, IMSI, phone manufacturel, phone model and network information of the phone
  • it creates a log file named mr.log
  • it writes binary data to C:\system\data\System.ini.
  • it registers itself to load upon system restart.
  • it accesses, unlocks if necessary, and stores information on the memory card.

The differences with SymbOS/Yxes.A!worm are the following:
  • it attempts to post information to malicious web servers. Depending on phone's information, the web servers respond with other malware in other locations. Due to several bugs, this feature however does not succeed.
  • the main executable runs under the name AcsServer.exe, which is probably meant to be similar to the legitimate AccServer.exe. In some other versions, the main executable is named MainSrv2.exe.
  • it creates a .SISX file (signed Symbian installation file) named kel.sisx in the C:\Data folder
  • if the file exists, it reads binary information from c:\system\data\SisInfo.cfg

Description Last Updated Date: Sep 11, 2009
Reference: ID - 931398