SymbOS/BeSeLo.B!worm - Released Feb 18, 2008 - Last Updated Mar 17, 2008
|
Alias/esSymbOS/Beselo virus, Symb/Beselo-B |
Detection Availability
|
Visible SymptomsThe following files exist:
- c:\system\Apps\[random_name].exe : 83662 bytes
- c:\system\Apps\[random_name].sis : 61279 bytes
- c:\system\recogs\[random_name].mdl : 3296 bytes
- c:\system\Data\[random_name].exe : 83662 bytes
- c:\system\Data\[random name].dat : 8 bytes
- c:\system\Data\[random_name].ini : 0 bytes
Any of the following files exist:
- c:\system\Install\sex.mp3 : 61279 bytes
- c:\system\Install\love.rm : 61279 bytes
- c:\system\Install\beauty.jpg : 61279 bytes
|
Detailed Analysis
It propagates via MMS and Bluetooth.
Once the user opens the MMS message that contains this worm, the phone demands the user's permission to install a file. The file has a random name.
Once the application is installed, the following files can be found in the file system:
- c:\system\Apps\[random_name].exe : 83662 bytes
- c:\system\Apps\[random_name].sis : 61279 bytes
- c:\system\recogs\[random_name].mdl : 3296 bytes
- c:\system\Data\[random_name].exe : 83662 bytes
- c:\system\Data\[random_name].dat : 8 bytes
- c:\system\Data[random_name].ini : 0 bytes
as well as any of the following files:
- c:\system\Install\sex.mp3 : 61279 bytes
- c:\system\Install\love.rm : 61279 bytes
- c:\system\Install\beauty.jpg : 61279 bytes
It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.
It searches for Bluetooth-enabled devices and attempts to send a copy of the SIS file to all devices that it finds. The file name is one of the following:
- beauty.jpg
- love.rm
- sex.mp3
|
Recommended ActionDelete all modules related to this virus from the infected device. |
