You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Eeki.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Eeki.A is a worm which only affects iPhone or iPod Touch devices (any of the three versions) which are jailbroken, that is, that allow to run unathorized code by Apple.

Eeki.A carries out the following actions:

  • Firstly, it checks that it is not already run in the device. In order to do so, it checks if the file /var/lock/bbot.lock exists.
  • In order to infect the devices, it has a predefined range of IP addresses, and generates one randomly, which will be the targeted IP address.
  • First, it tries to spread on the subnet the device is connected to. Then, it tries to create a random IP range and finally it tries pre-established ranges corresponding to certain companies' IP addresses.
  • Once the IP address is generated, it tries to access remotely the jailbroken iPhone or iPod Touch device, by establishing a SSH connection, and using the default password of root (that is, the system Administrator), which is common to all the iPhoneOS devices(iPhone and iPod Touch, the three versions of both).
  • If the access is denied, it generates another random IP and repeats the process until it gets a valid IP address of a vulnerable device. Once found, it can gain remote access to the device, and it copies itself in the affected device.
  • Finally, it stops the SSH daemon, which is a protocol that allows to gain access to remote systems through a network, and copies an image of the singer Rick Astley to use it as wallpaper of the device:

 

We have created a video on how Eeki.A works. Click here in order to view it.

Infection strategy 

Eeki.A copies itself with the following names in the /System/ Library/ LaunchDaemons directory, in order to be run when the device is restarted:

  • com.saurik.Cydia.Startup.plist
  • com.ikey.bbot.plist

 

Besides these two files, the following files are involved in the infection:

  • bbot.lock, in the /var/lock directory. It checks if this file is being used.
  • startup.so and startup, in the /usr/libexec/cydia directory. The first file belongs to the image it establishes as wallpaper. The second is an executable.
  • LockBackground.jpg, in the /var/mobile/Library directory. This file is the one that allows to configure the device wallpaper.

Means of transmission 

Eeki.A tries to spread on the subnet the device is connected to. Then, it tries to create a random IP range and finally it tries pre-established ranges corresponding to certain companies' IP addresses until it finds a vulnerable device.

Further Details  

Eeki.A is 27,162 bytes in size.