Registry Cleaner Geeks

November 10, 2009 6:17:48 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the worm is executed, it scans the following range of IP addresses and attempts to connect to SSH clients that use the default iPhone password:

* 192.168.0.0-192.168.255.255
* 202.81.64.0-202.81.79.255
* 23.98.128.0-123.98.143.255
* 120.16.0.0-120.23.255.255
* 114.72.0.0-114.75.255.255
* 203.2.75.0-203.2.75.255
* 210.49.0.0-210.49.255.255
* 203.17.140.0-203.17.140.255
* 203.17.138.0-203.17.138.255
* 211.28.0.0-211.31.255.255
* 58.160.0.0-58.175.255.25

Note: A random range of IP addresses is also scanned.

If the worm can successfully log in, it will attempt to copy itself across to the new host as one of the following sets of files, overwriting them if they already exist:

* /bin/poc-bbot
* /bin/sshpass

or

* /usr/libexec/cydia/startup
* /usr/libexec/cydia/startup-helper

It then copies the background image across as one of the following files:

* /var/log/youcanbeclosertogod.jpg
* /usr/libexec/cydia/startup.so

The worm then copies one of the following files across, so that the worm starts when the iPhone starts:

* /System/Library/LaunchDaemons/com.ikey.bbot.plist
* /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

It then changes the background image on the iPhone to the image it copied across.

The worm ends any SSH daemons running on the iPhone, removes the /bin/sshd file, and prevents the process from starting when the iPhone is restarted.

FREE SCAN:

Please click here for manual removal instructions.