This application requires Javascript for optimal performance.

SymbOS/Beselo.A!worm - Released Jan 18, 2008 - Last Updated Jan 23, 2008

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following files exist:
    • c:\system\Apps\[random_name].exe : 80912 bytes (79k)
    • c:\system\Apps\[random_name].sis : 60008 bytes (59k)
    • c:\system\recogs\[random_name].mdl : 3296 bytes
    • c:\system\Data\[random_name].exe : 80912 bytes (79k)
    • c:\system\Data\[random name].dat : 8 bytes
    • c:\system\Data\[random_name].ini : 0 bytes
  • Any of the following files exist:
    • c:\system\Install\sex.mp3 : 60008 bytes (59k)
    • c:\system\Install\love.rm : 60008 bytes (59k)
    • c:\system\Install\beauty.jpg : 60008 bytes (59k)

    Detailed Analysis

    Its propagation vector is an MMS and Bluetooth.

    The phone issues a warning dialog saying "Application is untrusted and may have problems. Install only if you trust provider".

    Once the user opens the MMS, the phone demands the user's permission to install a file. The file has a random name.

    The file details can be checked by selecting the "Options" menu option. The file details show that no certificate is available and that the supplier is unknown.

    Once the application is installed,


    the following files can be found on the file system:

    • c:\system\Apps\[random_name].exe : 80912 bytes (79k)
    • c:\system\Apps\[random_name].sis : 60008 bytes (59k)
    • c:\system\recogs\[random_name].mdl : 3296 bytes
    • c:\system\Data\[random_name].exe : 80912 bytes (79k)
    • c:\system\Data\[random_name].dat : 8 bytes
    • c:\system\Data[random_name].ini : 0 bytes
    and any of the following files:
    • c:\system\Install\sex.mp3 : 60008 bytes (59k)
    • c:\system\Install\love.rm : 60008 bytes (59k)
    • c:\system\Install\beauty.jpg : 60008 bytes (59k)

    The virus process can be seen in the process list:

  • It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.

    The message details can be seen by selecting the appropriate menu option:

    • It searches for Bluetooth-enabled devices and attempts to send a copy of the SIS file to all devices that it finds. The file name is one of the following:

    • beauty.jpg
    • love.rm
    • sex.mp3

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 417172