SymbOS/Yxes.I!worm

Alias/esWorm:SymbOS/Yxe (F-Secure), SymbOS.Exy (Symantec), LanPackage (NetQin)
Release DateJun 02, 2010
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
Description

Visible Symptoms

  • Abnormally high bill due to MMS sending
  • Presence of a skull picture at c:\System\Data\data.jpg

Detailed Analysis

This worm is a variant of SymbOS/Yxes.A!worm. It targets S60 3rd edition phones and sends multiple MMS at the victim's expense.



Technical Details


This worm parses Internet Access Points available on the phone, so as to establish stealth Internet connections with a remote malicious website from which it downloads configuration data.

The web pages it contacts are the following: 
http://REMOVED/PropertyFile.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=..
http://REMOVED/TipFile.jsp?FileType=2&LanguageCode=&Version=2.1&PhoneType=..&PhoneImei=...&PhoneImsi=...
http://REMOVED/TipFile.jsp?Version=2.1&FileType=1&LanguageCode=..&PhoneType=&PhoneImei=...&PhoneImsi=...
http://REMOVED/NumberFile.jsp?Version=2.1&PhoneType=..&PhoneImei=..&PhoneImsi=..
Note it sends the victim's IMEI, IMSI and phone model to the malicious websites.
It parses contacts on the victim's phone, retrieving family name, given name, company named and phone number.
It creates an MMS in the phone's Draft box. This MMS is typically titled 'Beauty', contains an attached image showing a skull, and a link to a malicious website from which new victims may download the worm. Once sent, the MMS is erased from the Sent box.


Figure 1. Skull attached to the MMS the worm sends.
The worm drops or creates the following malicious files on the device:
  • in a private directory within c:\private (e.g C:\private\A0001836), it uses several configuration files: NumberFile.txt, PropertyFile.txt, TipFile.txt, TipFile_Pbk.txt, state.txt, NumberIndex.txt, Remote_Para.txt
  • C:\System\Data\data.jpg: this is a copy of the skull image to attach to MMS
  • C:\sys\bin\ddast.exe or ffast.exe: main malicious executable

The major differences with prior versions of this worm are the following:
  • the worm sends MMS, not SMS messages.
  • the worm does monitor and kill any application.

Description Last Updated Date: Jun 04, 2010
Reference: ID - 1851178