SymbOS/BeSeLo.B!worm

Alias/esSymbOS/Beselo virus, Symb/Beselo-B
Release DateFeb 18, 2008
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • The following files exist:
    • c:\system\Apps\[random_name].exe : 83662 bytes
    • c:\system\Apps\[random_name].sis : 61279 bytes
    • c:\system\recogs\[random_name].mdl : 3296 bytes
    • c:\system\Data\[random_name].exe : 83662 bytes
    • c:\system\Data\[random name].dat : 8 bytes
    • c:\system\Data\[random_name].ini : 0 bytes
  • Any of the following files exist:
    • c:\system\Install\sex.mp3 : 61279 bytes
    • c:\system\Install\love.rm : 61279 bytes
    • c:\system\Install\beauty.jpg : 61279 bytes

    Detailed Analysis

  • It propagates via MMS and Bluetooth.

  • Once the user opens the MMS message that contains this worm, the phone demands the user's permission to install a file. The file has a random name.

  • Once the application is installed, the following files can be found in the file system:
    • c:\system\Apps\[random_name].exe : 83662 bytes
    • c:\system\Apps\[random_name].sis : 61279 bytes
    • c:\system\recogs\[random_name].mdl : 3296 bytes
    • c:\system\Data\[random_name].exe : 83662 bytes
    • c:\system\Data\[random_name].dat : 8 bytes
    • c:\system\Data[random_name].ini : 0 bytes
    as well as any of the following files:
    • c:\system\Install\sex.mp3 : 61279 bytes
    • c:\system\Install\love.rm : 61279 bytes
    • c:\system\Install\beauty.jpg : 61279 bytes

  • It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.

  • It searches for Bluetooth-enabled devices and attempts to send a copy of the SIS file to all devices that it finds. The file name is one of the following:
    • beauty.jpg
    • love.rm
    • sex.mp3
  • Description Last Updated Date: Mar 17, 2008
    Reference: ID - 432613