SymbOS/BeSeLo.C!worm - Released Jun 16, 2008 - Last Updated Jun 18, 2008
|
Detection Availability
|
Visible SymptomsRapid battery power loss due to repeated propagation attempts via Bluetooth.
Presence of any of the following files in "C:\System\Install":
- BEAUTY.JPG
- LOVE.RM
- SEX.MP3
|
Detailed AnalysisThis is a stripped down version of SymbOS/BeSeLo.B, lacking the MMS propagation routine. While Bluetooth is therefore the only automated infection method, it may arrive via any other vector (including MMS) in the frame of a manual attack, or a seeding operation.
|
|
Technical details
|
The malware comes up as a SIS package and doesnt have a Symbian legitimate certificate, which is pinpointed during installation.
The following files are dropped upon installation:
- c:\system\Apps\[random_name].exe
- c:\system\Apps\[random_name].sis
- c:\system\recogs\[random_name].mdl
- c:\system\Data\[random_name].exe
Unlike BeSeLo.B, this version does not:
- Drop the DAT and INI files in c:\system\Data\
- Copy the file originally executed file (i.e. the vector of infection) in C:\System\Install.
The method of propagation relies on repeated BlueeTooth connection attempts to surrounding device, as can be seen on Figure 1.
It scans for Bluetooth-enabled devices and each device found is sent a file transfer request. The file name is one of the following:
- beauty.jpg
- love.rm
- sex.mp3
Upon accepting the file transfer, the victim is delivered a copy of the virus, and prompted with an installation request, as can be seen on Figure 2 below. Choosing "yes" will yield the virus installation.
Figure 1: Malicious connection attempt.
|
Figure 2: You've been warned.
|
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
