New generation of Commwarrior – say NO to beauty, sex and love

Just to prove it is not about to retire any time soon, another Comwarrior variant for mobile phones has struck again. In fact, two new variants have been received (detection for which has been added as Symb/Beselo-A and Symb/Beselo-B) – both of which are reported to be in the wild [1].

Like previous members of the Comwarrior family, these new Beselo variants use Bluetooth and MMS functionality for spreading. Initial analysis also suggests the worm attempts to copy itself to flash memory cards inserted into the device. The worms run on Symbian S60-enabled devices (including Nokia 6600, 6630, 6680, 7610, N70 and N72 phones).

A slight twist in these variants is the use of misleading file extensions – Beselo sends itself out as a SIS file in messages using file extensions such as .jpg, .mp3 and .rm. Despite the fact that the Symbian OS correctly identifies the file type by its content (therefore alerting the user with an installation promt), some users have clearly been fooled by the use of harmless file extensions.

Once installed, Beselo creates the following files:

  • c:\system\data\[random_chars].exe
  • c:\system\data\[random_chars].dat
  • c:\system\data\[random_chars].ini

Beselo sends itself to numbers obtained from the device phone book, and also to numbers it generates itself. Sent MMS messages have the following characteristics:

  • Message body: Photo
  • Attachment: one of the following
    • beauty.jpg
    • sex.mp3
    • love.rm

Beselo also attempts to send itself via Bluetooth using the same filenames to phones within range.