Threat Encyclopedia

SYMBOS_YXES.B

Malware type: Symbian

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Symbian

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Low

Infection Channel 1 : Propagates via email


Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

SYMBOS_YXES.B Behavior Diagram

Malware Overview

Trend Micro has flagged SYMBOS_YXES.B as noteworthy due to the increased potential for damage, propagation, or both, that it possesses.

It has received attention from independent media sources and/or other security firms.

This Symbian malware may be downloaded unknowingly by a user when visiting malicious Web sites.

It is a Symbian Information Source (SIS) file that collects the following information on the affected mobile device:

  • Phone identification
  • Subscriber identification
  • Network Information

Upon execution, it displays an image prompting the user to install the malicious software.

It then drops components.

It remains running in the background and attempts to connect to the Internet and from there can get possible messages, which it can spam and send to contacts found in the compromised device.

It may also compose messages that can be part of its spamming routine.

It also terminates certain processes if found running in the system.

Part of its lure to the users is the Supplier information, which points to "Playboy".

It affects mobile devices running the Symbian operating system.

For additional information about this threat, see:

Description created: Jul. 22, 2009 4:30:02 AM GMT -0800


TECHNICAL DETAILS


File type: SIS

Memory resident:  No

Size of malware: Varies

Initial samples received on: Jul 12, 2009

Payload 1: Terminates processes

Payload 2: Displays graphics

Details:

This Symbian malware may be downloaded unknowingly by a user when visiting malicious Web sites.

It is a Symbian Information Source (SIS) file that collects the following information on the affected mobile device:

  • Phone identification
  • Subscriber identification
  • Network Information

Upon execution, it displays the following image prompting the user to install the malicious software.

It then drops the following components:

  • C:\sys\bin\Installer_0x20026CA6.exe - installer component
  • C:\sys\bin\AcsServer.exe - detected as SYMBOS_YXES.B
  • C:\private\101f875a\import\[20026CA5].rsc - allows startup of AcsServer.exe upon turning on the device.

It remains running in the background and attempts to connect to the Internet and from there can get possible messages, which it can spam and send to contacts found in the compromised device.

It may also compose messages that can be part of its spamming routine.

It also terminates the following processes if found running in the system:

  • AppMngr
  • TaskSpy
  • Y-Tasks
  • ActiveFile
  • TaskMan

Part of its lure to the users is the Supplier information, which points to "Playboy".

It affects mobile devices running the Symbian operating system.

Analysis By: Michael Cabel

Updated By: Jessa De La Torre


SOLUTION


Minimum scan engine version needed: 8.700

Pattern file needed: 6.267.00

Pattern release date: Jul 12, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

 Step 1: Scan your mobile phone with the latest Trend Micro Mobile Security pattern file to delete files detected as SYMBOS_YXES.B 




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on