Threat Descriptons



Category :


Type :


Platform :


Aliases :



Beselo.B is an MMS and Bluetooth worm that operates on Symbian S60 Second Edition devices.

Beselo.B spreads via MMS messages and Bluetooth using the filenames beauty.jpg, sex.mp3, or love.rm.


A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details


The worm's SIS installation package contains .exe, .ini, and .dat files named using a random format that has seven letters followed by the extension. For example, qsnpwsg.exe,qsnpwsg.ini, and qsnpwsg.dat.

When Beselo.B is run the installer will copy the worm's main executable to C:\system\data and execute. After execution the worm will copy its executable file to C:\system\apps with the same name as worm's main executable. Additionally, the worm creates a new unique SIS installation package to C:\systems\apps and recognizer to C:\system\recogs with the name that has the same first four letters as worm's executable. If the phone has a memory card the worm will also copy itself there. To summarize, here is a list of all files created in one installation using example filenames.

Files created on the phone:

  • c:\system\data\qsnpwsg.exe
  • c:\system\data\qsnpwsg.dat
  • c:\system\data\qsnpwsg.ini
  • c:\system\apps\qsnpwsg.exe
  • c:\system\apps\qsnpwsg.sis
  • c:\system\recogs\gsnp.mdl

Files created on the memory card:

  • e:\system\apps\qsnpwsg.exe
  • e:\system\recogs\gsnp.mdl

Hiding and Protecting the Process from the User

Beselo.B attempts to hide its process from the user by running as executable, so that it is not visible in the standard application list. The process is visible in third party tools that show system processes. It is named with same random name as the worm's main executable.

The worm protects its process from being killed by setting the process type to "system". It is not possible to kill a system process.

Replication via MMS Messages

Beselo.B replicates using MMS with SIS files that have the text "Photo" as message body and a SIS file attachment named beauty.jpg, sex.mp3, or love.rm.

The MMS messages are sent in 1 minute interval to either numbers found in the device phone book or else to internally generated numbers.

Beselo.B also listens for incoming SMS messages and responds to any message with an infected MMS message.

Replication via Bluetooth

Beselo.B replicates using Bluetooth in SIS files using the same name as the MMS messages. Bluetooth messages are attempt in one minute intervals to one phone number at a time.

The extension used in the worm installation file causes the message to be shown with an icon that indicates a broken media file.

Replication to an MMC Card

Beselo.B listens for any MMC cards inserted to the infected phone, and copies itself to inserted card. The infected card contains both the worm executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.