1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Worm:SymbOS/Beselo.A

Worm:SymbOS/Beselo.A

Name : Worm:SymbOS/Beselo.A
Category:Malware
Type:Bluetooth-Worm
Platform:SymbOS
Origin:Asia
Date of Discovery:December 21, 2007

Summary

Beselo.A is an MMS and Bluetooth worm that operates on Symbian S60 Second Edition devices.

Beselo.A spreads via MMS messages and Bluetooth using the filenames beauty.jpg, sex.mp3, or love.rm.

Disinfection

CAUTION! this method will remove all data on the device including calendar and phone numbers:

  • Power off the phone
  • Hold the following three buttons down - "answer call" + "*" + "3"
  • Keep holding down the buttons and power on the phone
  • Depending on the model, you will either get text that reads "formatting" or a start-up dialog that asks for the initial phone settings
  • Your phone is now formatted and can be used again

To prevent future infections, please download F-Secure Mobile Anti-Virus from here: http://f-secure.mobi.

Additional Details

Infection

The worm's SIS installation package contains .exe, .ini, and .dat files named using a random format that has seven letters followed by the extension. For example, qsnpwsg.exe,qsnpwsg.ini, and qsnpwsg.dat.

When Beselo.A is run the installer will copy the worm's main executable to C:\system\data and execute. After execution the worm will copy its executable file to C:\system\apps with the same name as worm's main executable. Additionally, the worm creates a new unique SIS installation package to C:\systems\apps and recognizer to C:\system\recogs with the name that has the same first four letters as worm's executable. If the phone has a memory card the worm will also copy itself there. To summarize, here is a list of all files created in one installation using example filenames.

Files created on the phone:
  • C:\system\data\qsnpwsg.exe
  • C:\system\apps\qsnpwsg.exe
  • C:\system\apps\qsnpwsg.sis
  • C:\system\recogs\gsnp.mdl

The following file does not have a variable name:

  • C:\system\data\SIMLanguage.dat

Files created on the memory card:
  • E:\system\apps\qsnpwsg.exe
  • E:\system\recogs\gsnp.mdl

Hiding and Protecting the Process from the User

Beselo.A attempts to hide its process from the user by running as executable, so that it is not visible in the standard application list. The process is visible in third party tools that show system processes. It is named with same random name as the worm's main executable.

The worm protects its process from being killed by setting the process type to "system". It is not possible to kill a system process.

Replication via MMS Messages

Beselo.A replicates using MMS with SIS files that have the text "Photo" as message body and a SIS file attachment named beauty.jpg, sex.mp3, or love.rm.

The MMS messages are sent to numbers found in the device phone book.

Replication via Bluetooth

Beselo.A replicates using Bluetooth in SIS files using the same name as the MMS messages. Bluetooth messages are attempt in one minute intervals to one phone number at a time.

The extension used in the worm installation file causes the message to be shown with an icon that indicates a broken media file.

Replication to an MMC Card

Beselo.A listens for any MMC cards inserted to the infected phone, and copies itself to inserted card. The infected card contains both the worm executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.

Detection

F-Secure Mobile Anti-Virus for Symbian detects this malware starting from the update build number 149.