New S60 Worm Variant Spreading in the Wild

A new variant of the Yxes (Yxe) worm for Symbian S60 3rd edition has been found spreading in Saudi Arabia by mobile security company NetQin. Just as its former versions, this new threat hides as a legit application and is digitally signed.

NetQin names this new threat Transmitter.C and notes that it masquerades as a legit Symbian security application called "Advanced Device Locks." Furthermore, according to Dancho Danchev, an independent security consultant who also analyzed the sample, the worm is digitally signed with a certificate issued to XinZhongLi Kemao Co. Ltd.

The localized vendor's name is "Play Boy," just as with other Yxes versions. Upon installation, the worm drops three files in the system: Installer_0x20026CA6.exe, AcsServer.exe and [20026CA5].rsc. AcsServer.exe (previously called EConServer.exe) executes every time the phone is rebooted.

The worm propagates by sending adult-oriented text messages to all the numbers in the device's address book. These SMS messages include a malicious link, which, when opened, attempts to install the worm on the visitor's phone.

According to NetQin, about 500 messages are being sent at intervals of 10-15 seconds, without leaving any traces in the "Sent" folder. In addition to the obvious implication of costing the victims a lot of money, through the obscene nature of the messages, this worm can also damage the reputation of the affected individuals.

The Yxes worm originated in China, but news of it reaching Saudi Arabia prompts serious concerns that it might spread to other markets as well. It is not yet clear what are the motives for distributing this malware, but NetQin malware analysts speculate that it might be used to also subscribe victims to unwanted services.

Samples of this new variant have already been shared with other mobile antivirus vendors, which are soon expected to include detection for it in their products. Users who don't yet have an antivirus solution installed on their phones might want to consider getting one, as there are worrying signs that mobile malware is on the rise.