The worm's SIS installation package contains .exe, .ini, and .dat files named using a random format that has seven letters followed by the extension. For example, qsnpwsg.exe,qsnpwsg.ini, and qsnpwsg.dat.
When Beselo.A is run the installer will copy the worm's main executable to C:\system\data and execute. After execution the worm will copy its executable file to C:\system\apps with the same name as worm's main executable. Additionally, the worm creates a new unique SIS installation package to C:\systems\apps and recognizer to C:\system\recogs with the name that has the same first four letters as worm's executable. If the phone has a memory card the worm will also copy itself there. To summarize, here is a list of all files created in one installation using example filenames.
Files created on the phone:
The following file does not have a variable name:
Files created on the memory card:
Hiding and Protecting the Process from the User
Beselo.A attempts to hide its process from the user by running as executable, so that it is not visible in the standard application list. The process is visible in third party tools that show system processes. It is named with same random name as the worm's main executable.
The worm protects its process from being killed by setting the process type to "system". It is not possible to kill a system process.
Replication via MMS Messages
Beselo.A replicates using MMS with SIS files that have the text "Photo" as message body and a SIS file attachment named beauty.jpg, sex.mp3, or love.rm.
The MMS messages are sent to numbers found in the device phone book.
Replication via Bluetooth
Beselo.A replicates using Bluetooth in SIS files using the same name as the MMS messages. Bluetooth messages are attempt in one minute intervals to one phone number at a time.
The extension used in the worm installation file causes the message to be shown with an icon that indicates a broken media file.
Replication to an MMC Card
Beselo.A listens for any MMC cards inserted to the infected phone, and copies itself to inserted card. The infected card contains both the worm executable and the bootstrap component, so that if infected card is inserted into another phone it will also be infected.