Worm:SymbOS/Beselo.A

Classification

Category :

Malware

Type :

Bluetooth-Worm

Platform :

SymbOS

Aliases :

Worm:SymbOS/Beselo.A, Worm:SymbOS/Beselo.A

Summary

Beselo.A is an MMS and Bluetooth worm that operates on Symbian S60 Second Edition devices.

Beselo.A spreads via MMS messages and Bluetooth using the filenames beauty.jpg, sex.mp3, or love.rm.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Infection

The worm's SIS installation package contains .exe, .ini, and .dat files named using a random format that has seven letters followed by the extension. For example, qsnpwsg.exe,qsnpwsg.ini, and qsnpwsg.dat.

When Beselo.A is run the installer will copy the worm's main executable to C:\system\data and execute. After execution the worm will copy its executable file to C:\system\apps with the same name as worm's main executable. Additionally, the worm creates a new unique SIS installation package to C:\systems\apps and recognizer to C:\system\recogs with the name that has the same first four letters as worm's executable. If the phone has a memory card the worm will also copy itself there. To summarize, here is a list of all files created in one installation using example filenames.

Files created on the phone:

  • C:\system\data\qsnpwsg.exe
  • C:\system\apps\qsnpwsg.exe
  • C:\system\apps\qsnpwsg.sis
  • C:\system\recogs\gsnp.mdl

The following file does not have a variable name:

  • C:\system\data\SIMLanguage.dat

Files created on the memory card:

  • E:\system\apps\qsnpwsg.exe
  • E:\system\recogs\gsnp.mdl

Hiding and Protecting the Process from the User

Beselo.A attempts to hide its process from the user by running as executable, so that it is not visible in the standard application list. The process is visible in third party tools that show system processes. It is named with same random name as the worm's main executable.

The worm protects its process from being killed by setting the process type to "system". It is not possible to kill a system process.

Replication via MMS Messages

Beselo.A replicates using MMS with SIS files that have the text "Photo" as message body and a SIS file attachment named beauty.jpg, sex.mp3, or love.rm.

The MMS messages are sent to numbers found in the device phone book.

Replication via Bluetooth

Beselo.A replicates using Bluetooth in SIS files using the same name as the MMS messages. Bluetooth messages are attempt in one minute intervals to one phone number at a time.

The extension used in the worm installation file causes the message to be shown with an icon that indicates a broken media file.

Replication to an MMC Card

Beselo.A listens for any MMC cards inserted to the infected phone, and copies itself to inserted card. The infected card contains both the worm executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.