SymbOS/Yxes.A!worm - Released Feb 18, 2009 - Last Updated Jun 09, 2009

Alias/es

Worm:SymbOS/Yxe, Worm:SymbOS/Yxe.gen

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The repeated attempts by the worm to send SMS messages or connect to the Internet may yield:
    • Abnormally high phone bills
    • Rapid battery power loss
  • Presence of the following files :
    • c:\sys\bin\EConServer.exe
    • c:\private\101f875a\import\[2001EB45].rsc
  • Impossible to launch the following applications:
    • AppMgr
    • TaskSpy
    • Y-Tasks
    • ActiveFile
    • TaskMan

    Detailed Analysis

  • This worm targets mobile devices running Symbian OS 9.1 S60 3rd Edition (eg: Nokia 3250, Nokia N73), but may run on a wider range of devices such as Symbian OS 9.2 S60 3rd Edition FP1.

  • It bears a valid certificate, signed by Symbian but revoked since. If online certificate check is not enabled on the mobile device (default setting on many phones), the worm installs flawlessly on "normal" (i.e. not "cracked") mobile devices under the application name Sexy View.

  • The application does not come with any menu or icon, so the end-user does not have any way to interact with it (apart from listing or uninstalling it from the Application Manager).


    Figure 1: Installed application on the device. The worm is running and is restarted each time the phone is switched back on.
  • The worm has the following potential capabilities:
    • Send SMS messages to harvested phone numbers from the infected device's SMS inbox. The messages contain a malicious web address (aka a URL), so that the recipient downloads and installs a copy of the worm from that address (provided their phones/subscriptions allow for internet browsing).

    • Gather intelligence on the infected victim (serial number of the phone, subscription number...) and post it to malicious servers likely to be controlled by cybercriminals.

    • Search for and kill some tasks or application manager applications.

    Technical details

  • Runs the EPOC executable EConServer.exe. This name is probably intentionally close to EComServer.exe, a legitimate Symbian executable.


    Figure 2: The EConServer.exe (malicious) executable running on the infected device.
  • Uses a valid but revoked certificate (reason is 'Cessation of Operation'), Consequently, the malware won't install if the device is configured for mandatory on-line certificate verification. Note that if on-line certificate verification is enabled but not set to required and network is unavailable, the installation of the malware is possible, but leads to an additional pop-up asking for end-user's confirmation.


    Figure 3: Popup requesting user confirmation.
  • Creates a global semaphore named EConServerSemaphore_0x2001EB45. This semaphore ensures a single copy of the worm runs on the device.

  • Parses Internet Access Providers configured on the device and lists operational providers for outgoing Internet traffic. Later, those providers are used to post intelligence data gathered on the device.

  • Parses SMS messages in the device's global inbox (without erasing them) and, in particular, look for case-insensitive string 'olpx', possibly followed by a D or a K.

  • Repeatedly searches for and, if found, kills the following processes:
    • AppMngr
    • TaskSpy
    • Y-Tasks
    • ActiveFile
    • TaskMan
  • Sends SMS messages containing a malicious address such as httpp://www.ww{Removed}.com from which copies of the malware are downloaded. An installation attempt is automatically triggered. This installation eventually succeeds (if the device owner confirms the installation).

  • Collects the following information from the infected system:
    • IMEI
    • IMSI (subscription number)
    • Phone manufacturer
    • Phone model. If the model cannot be retrieved, the worm sets the phone model by default to Nokia 3250.
    • Network information
  • Attempts to silently connect to the Internet, send an HTTP request containing the phone model and worm version, and parse HTTP responses - in particular for responses containing the string 'olpx'.

  • Creates a log file named mr.log, in which it writes various status information, such as "SetConnectionFailed", "SetConnectionSucceeded", "TimeUptoRoot".

  • Creates a .SISX file (signed Symbian installation file) named root.sisx  in the C:\Data  folder, and sets its attributes.

  • Modifies the file C:\system\data\System.ini.

  • Registers itself to load upon system restart.

  • Accesses, unlocks if necessary, and stores information on the memory card.

    • Recommended Action

      It is recommended to configure your device for mandatory online certificate verification. This is typically configured in the Application Manager.


      Figure 4: Setting mandatory on-line verification on an N95 device.

        FortiGate Systems

      • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

        FortiClient Systems

      • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 753505