Clean Up Ikee.b Worm From iPhone [How To]

This article is for those folks who think (or even are sure) that their iPhone was attacked by a malicious Ikee.b worm. Here’s the full article with virus description and its working schemes overview. The virus is pretty dangerous because it can do a lot of harm to your device. Ikee.b scans for devices with open SSH ports and default root password. After doing this it writes necessary files into iOS, extracts and installs them. Therefore, your handset can be used as a part of botnet system. Fortunately, there’s a simple solution how you can delete the worm from your device once and for all.

Clean-up-Ikee.b-from-iPhone

To detect if your iPhone is infected check your root password and SSH connection availability. If you can’t connect to your device by SSH and your root password is ‘alpine’ (which is default) your fears are most likely justified. If you are still not sure, check if you have files like these: com.apple.ksyslog.plist and com.apple.period.

If the Ikee.b worm managed to intrude the system he will try to write his files to:

/BIN/POC-bbot
/BIN/sshpass 

or

/usr/libexec/cydia/startup
/usr/libexec/cydia/startup-helper

After doing that he will change the background image:

/var/log/youcanbeclosertogod.jpg
/usr/libexec/cydia/startup.so

And finally it writes the files into startup:

/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

That last action is needed for worm activation while next iPhone launch and for killing SSH access by deleting /bin/sshd.

You can easily delete the Ikee.b virus by simply deleting these folders:

/bin/poc-bbot
/bin/sshpass
/usr/libexec/cydia/startup
/usr/libexec/cydia/startup-helper
/var/log/youcanbeclosertogod.jpg
/usr/libexec/cydia/startup.so
/System/Library/LaunchDaemons/com.ikey.bbot.plist

After deleting those System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist should look like this:

Label
com.saurik.Cydia.Startup
Program
/usr/libexec/cydia/startup
RunAtLoad

That’s it, your gadget is now virus free. Now you need to reinstall SSH and reboot iPhone.

Remember that this worm is able to access your device only because of jailbreaking as the process disables all the defense from iPhone. So if you want to be safe it’s better to be sure that you know what you’re into.