Tuesday, January 22, 2008
New Symbian Worm in the Wild Posted by Jarno @ 08:57 GMT

We have been working on an interesting Symbian worm over the last few days. It affects S60 2nd Edition phones.

The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.

But what makes Beselo interesting is that instead of a standard SIS extension the Beselo family uses common media file extensions. This leads the recipient believe that he is receiving a picture or sound file instead of Symbian application. He is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file.

The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm.
Sex MP3
However, just this use of a new social engineering trick was not enough to get more attention from us; we added Beselo.A as Commwarrior.Y back in December. But last Friday and over the weekend a friend working for a major telecom operator became interested in the extensions and did a bit of investigation into what was going on.

It turns out that Beselo.A was in the wild on their MMS network and that it had a big brother, Beselo.B.

Both of these worms have been able to escape attention for at least a while with the simple trick of pretending to be common media files.

So if you have a Symbian S60 phone, and you receive a media file, answer "no" to any installation prompt that appears when trying to open the file. There is no reason for any image file to ask installation questions on the Symbian platform, so any image or sound file that does something else than play immediately is without question something else than it claims to be.

Beselo worms are compiled for S60 2nd Edition phones. Attempting to open the file on a 3rd Edition phone will likely cause an error message rather than an installation prompt.

We can also recommended having Anti-Virus running on your phone. You can find ours from F-Secure.mobi, try it from your phone.

<<< One Year Ago...
Case Closed >>>