Thursday, January 31, 2008

Free beselo Disinfection/removal tools,cleaners

Disinfecting using F-Secure Mobile Anti-Virus


1. Download F-Secure Mobile Anti-Virus from http://f-secure.mobi
and activate the Anti-Virus [trial version available]
2. Scan the phone and remove any components of the malware
3. Reboot the phone to remove memory resident components

McAfee Disinfection

Enter the detection name as beslo, then click add button to add "beslo" to the detection list then either click "get extra.dat" or "get superextra.dat".

Obtain an ED for this threat please visit:

http://www.webimmune.net/extra/getextra.aspx


Fortiguardcenter disinfection


Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

www.fortiguardcenter.com


Note : Many other Free/Commercial mobile antivirus/removers may support disinfection of the beselo worm family, We have only listed few important ones here. [The list will be updated frequently]

SymbOS/Beselo threat Analysis

Its propagation vector is an MMS and Bluetooth.

The phone issues a warning dialog saying "Application is untrusted and may have problems. Install only if you trust provider".

Once the user opens the MMS, the phone demands the user's permission to install a file. The file has a random name.

The file details can be checked by selecting the "Options" menu option. The file details show that no certificate is available and that the supplier is unknown.

Once the application is installed,


the following files can be found on the file system:

  • c:\system\Apps\[random_name].exe : 80912 bytes (79k)
  • c:\system\Apps\[random_name].sis : 60008 bytes (59k)
  • c:\system\recogs\[random_name].mdl : 3296 bytes
  • c:\system\Data\[random_name].exe : 80912 bytes (79k)
  • c:\system\Data\[random_name].dat : 8 bytes
  • c:\system\Data[random_name].ini : 0 bytes
and any of the following files:
  • c:\system\Install\sex.mp3 : 60008 bytes (59k)
  • c:\system\Install\love.rm : 60008 bytes (59k)
  • c:\system\Install\beauty.jpg : 60008 bytes (59k)

The virus process can be seen in the process list:

  • It sends itself as an MMS to phone numbers of the same operator as well as to the phone numbers of the contacts on the infected phone.

    The message details can be seen by selecting the appropriate menu option:

    It searches for Bluetooth-enabled devices and attempts to send a copy of the SIS file to all devices that it finds. The file name is one of the following:

    • beauty.jpg
    • love.rm
    • sex.mp3


  • Source

    SymbOS/Beselo information

    SymbOS/Beselo family is capable of running on several Symbian devices. These devices include, but may not be limited to, Nokia 6600, 6630, 6680, 7610, N70 and N72 phones.

    After an installation phase, the worm engages in a propagation routine. Phone numbers located in the contact list of the devices are harvested, and targeted by a viral MMS carrying a SIS-packed (Symbian Installation Source) version of the worm. However, the SIS file does not bear a .sis file extension -- rather, it is disguised as a multimedia file

    Users may know they have been infected if they see unrecognized sent messages in their MMS outboxes.

    Name : Worm:SymbOS/Beselo
    Alias: Beselo
    Type: Bluetooth-Worm
    Category: Malware
    Platform: SymbOS
    Date of Discovery: December 21, 2007

    SymbOS/Beselo Symptoms [files]

    SymbOS/Beselo attempts to disguise itself as other types of media files under the filenames "beauty.jpg", “love.rm” and “sex.mp3” each of size 59kb[kilo bytes]
    and random named exe files each of 79kb.

    Your Symbian mobile is infected if you find the following files

    • c:\system\Apps\[random_name].exe : 80912 bytes (79k)
    • c:\system\Apps\[random_name].sis : 60008 bytes (59k)
    • c:\system\recogs\[random_name].mdl : 3296 bytes
    • c:\system\Data\[random_name].exe : 80912 bytes (79k)
    • c:\system\Data\[random_name].dat : 8 bytes
    • c:\system\Data[random_name].ini : 0 bytes
    And any of the following files:
    • c:\system\Install\sex.mp3 : 60008 bytes (59k)
    • c:\system\Install\love.rm : 60008 bytes (59k)
    • c:\system\Install\beauty.jpg : 60008 bytes (59k)