Threat Descriptons



Category :


Type :


Platform :


Aliases :



A worm that spreads over Bluetooth networks.


A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Bluetooth-Worm:SymbOS/Lasco.A is distributed in a SIS file named velasco.sis.

The velasco.sis file will not arrive automatically to the target device, so user needs to answer yes to the transfer question while the infected device is still in range. This modification in the replication mechanism, will make it more likely that Lasco.A will spread quickly once in the wild.

Lasco worm can reach only mobile phones that support Bluetooth and are in discoverable mode. Setting your phone into non-discoverable (hidden) Bluetooth mode will protect your phone. But once the phone is infected, it will try to infect other systems even if the user tries to disable Bluetooth from system settings.


When the Lasco.A worm is activated it will start looking for other bluetooth devices, and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range the Lasco.A will continue searching and infecting other phones.

The SIS file contains the worm's main executable files:

  • marcos.mdl - system recognizer
  • velasco.rsc - resource file

The file also contains autostart settings that will automatically execute after the SIS file is being installed.


When the velasco.sis file is installed the installer will copy the worm executables into following locations:

  • c:\system\apps\velasco\velasco.rsc
  • c:\system\apps\velasco\
  • c:\system\apps\velasco\flo.mdl

When the is executed it copies the following files:

  • flo.mdl to c:\system\recogs
  • to c:\system\symbiansecuredata\velasco\
  • velasco.rsc to c:\system\symbiansecuredata\velasco\

This is most likely done in case user installs the application to memory card, or to avoid user trying to disinfect the worm by uninstalling the original SIS file.

Then the worm will recreate the velasco.sis file from worm component files and data blocks that are in

After recreating the SIS file the Lasco.A will search for all SIS files in the device, add itself into those files and modify the SIS file header so that the Lasco.A embedded into target SIS files will activate automatically upon install of that SIS file into the device.


Lasco.A also replicates by searching the infected device for all SIS installation files. And infecting them by adding the velasco.sis installation file as last file in the SIS archive.

The Lasco.A will also modify the infected SIS file header so that the embedded velasco SIS installation will start automatically after the host SIS file is installed. But while the Lasco.A is installation is started automatically, the installation sequence will still be normal and use will be asked whether he wants to install Velasco, and user will get warning about missing signature in the SIS file.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.