We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:


This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:


Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:


to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.


“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.