Sophos is reporting that jailbroken Apple iPhones in Australia have been infected by a worm that has changed their wallpaper to an image of 1980s pop singer Rick Astley.


Though there are no reports of the worm having spread to other countries, it isn't unlikely that it has.

The worm is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once installed, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again.

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

What's clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

Sophos Labs is analyzing the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labeled the "D" version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments reprimands affected users for not following instructions when installing SSH. Had they changed the default password the worm would not have been able to infect them.

It looks like the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. But, of course one can never be too sure. Hackers with intent to cause damage could experiment and deploy a worm with a more serious payload.

The source code of the worm says at its start:

/ "ikee virus" by ikex
/ Revision: 10 (Variant D)

A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves "ike_x".

According to ike_x's user profile on the Whirlpool forum his nearest city is Sydney, Australia . Further searching on the internet reveals other pages seemingly related to ike_x of Wollongong, New South Wales, using the name "Ash" or "Ashley Towns".

The worm's author has posted an explanation inside the code. It says:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?