Got Worms? How to Clean your Infected iPhone

[Nick Hesson]

Recently we covered an article about the new iPhone worm that has been going around which affects users with OpenSSH installed and have not changed the default password. It started off innocent and escalated to something more threatening.

While there is of course the ability to change your password, some of you might not be so lucky and worms could be crawling your iPhone. Do not fret, as today I bring you some options for cleaning your iPhone. While not all of these options will bring you success, at least you'll know what your options are.

You'll need to download a copy of MobileTerminal from Cydia before hand, so if you don't already have that, go grab it now.

There are three worms currently going around, and of course lucky for us, each one requires a different fix.

Open MobileTerminal and use these commands to delete the unwanted files. These commands are case-sensitive.

1. The ikee/Rick Astley worm

This crude worm is non-threatening but unfortunately very ugly to look at.

In order to fix this ridiculous worm, we'll need to start up MobileTerminal and get into the root account directory. You will be required to enter a password. If you haven't changed it yet, the password is "alpine." Enter the following into MobileTerminal pressing enter after each command.

su root

rm /bin/poc-bbot

rm /bin/sshpass

rm /var/log/youcanbeclosertogod.jpg

rm /var/mobile/LockBackground.jpg

rm /System/Library/LaunchDaemons/com.ikey.bbot.plist

rm /var/lock/bbot.lock

If your phone stll has the picture of Rick Astley, unfortunately it can get tricky and messy, but you will need to remove these files as well to get rid of Rick.

rm /usr/libexec/cydia/startup

rm /usr/libexec/cydia/startup.so

rm /usr/libexec/cydia/startup-helper

rm /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

The downfall to removing these last few files will require you to reinstall Cydia unfortunately.

2. iPhone/Privacy A:

This bad boy likes to grab your personal information and send it to whomever it wishes

Slimy one this one is. In order to remove this stinky worm, you'll need to use an AntiVirus program. Intego's VirusBarrier X5 works great on the Mac and will catch it no problem. Unfortunately those on a PC don't get any useful tips on what virus program will detect this, but if you know, feel free to share your tip!

Of course you could also do a restore and that would solve your problem, but doing so you may lose personal information. Of course if you go this route, and install OpenSSH again, please for the love of god change your password.


3. The Third Worm (Insert Snappy Virus Name):

This one is a bit more rare and pertains more to your location.
It copies personal data from your iPhone and also redirects online banking customers of a Dutch bank to a phishing web site.

Unfortunately I have no good news for you if your looking for a quick fix on this one. You'll need to do a full restore to remove this pesky bugger. And of course the same applies, if you Jailbreak again, please for the love of god change your password!

UPDATE: A user in the replies has noted the following:

I read somewhere a couple of days ago (you'd have to google for it to confirm this) that the worm that redirects you to a fake bank website also changes your root password to "ohsh1t" (but the 1 is really an i, you get the idea). I don't know if this is the worm you have, but I'm just trying to help out...

If you have any other tips for removing these worms, please share your experiences. I have yet to even talk to someone who has been affected by one of these, so no true experiences to share.

Thanks to iSmashiPhone for the de-worming tips.

Check out our previous coverage on these Worms:

Malicious Worm Takes Aim at Jailbroken iPhones
Malware Allows Access to Jailbroken iPhones
Aussie Worm Rickrolls Jailbroken iPhones

[metaljay]

could you not install the 'iphone firewall' i forgot the name on cyida, and block all outgoing connections lol???
surely this would stop the worm in its tracks

[Nick Hesson]

could you not install the 'iphone firewall' i forgot the name on cyida, and block all outgoing connections lol???
surely this would stop the worm in its tracks

Actually, that would probably work. However, If I ever got the worm, I would want it out of my system for sure, not just masking it.

And Firewall IP would be a $2.49 fix, when you could just fix it for free That is if you didn't already have Firewall IP

[dklst]

How do I change my password? I just got the Iphone and a buddy set up everything for me(blackrain, cydia, *********, etc)

Thanx

jus found it in the forums but whats the old password?

OOps. I got it. Didnt see it above. Great forum

[Nick Hesson]

How do I change my password? I just got the Iphone and a buddy set up everything for me(blackrain, cydia, *********, etc)

Thanx

jus found it in the forums but whats the old password?

OOps. I got it. Didnt see it above. Great forum

default password is alpine

[-=viper=-]

what i want to know is how can i tell if i have the 2nd and 3rd worm?
the first one is pretty easy to detect - but those two...

[pdogg626]

can i get that worm i didn't install that open SSH?

[mgebara]

can i get that worm i didn't install that open SSH?

Nope you're good since the worms need ssh to get into your phone.

[cradaga1]

how do you change the default password? This increase in malicious software is starting to freak me out. I hate restoring my phone.

[kodath]

what i want to know is how can i tell if i have the 2nd and 3rd worm?
the first one is pretty easy to detect - but those two...

x2 i would like to know this as well...

[psp257]

no, its alpine, not apline

[hollow0]

thank goodness i've already changed my password. It's the first thing i did after installing it!

[psp257]

i was talking to nickhesson

[Dizzy714]

How do you change your password?

[psp257]

look at the article up page

[Dizzy714]

Alright after I logged in I went up to preferences and made a Master Password, was that what I was supposed to do? I don't like having to enter the master pass every time I want to login, there's no option to save the pass - it's like a password overtop of the alpine password, so alpine isn't changed. Every time I type in anything other than alpine in that slot, it says it needs a pre-authenticated password.

[psp257]

i dont really know how to do all this stuff. besides, these worms aren't in the usa, only around europe.

[JazJon]

Has anyone created an app to change your passwords? I know the terminal and commands are not the complex to do, but still. Easy is Easy.

[Nick Hesson]

no, its alpine, not apline

hahha yea, it was wayyyy to early in the morning. thanks for catching that.

ALPINE

[kadinh]

to change root password:

* install and run "Mobile Terminal"
* type su root at the shell prompt and tap enter
* type passwd and tap enter
* enter alpine for your old password
* enter new password
* enter new password again to confirm