New proof-of-concept malcode designed to spread from desktop computers to wireless mobile devices has been discovered,...
according to the Mobile Malware Researchers Association (MARA).
Jonathan Read, a New Zealand-based CISSP and member of MARA -- a group formed last year to find and raise awareness regarding mobile device threats -- said in an e-mail Sunday that the malcode, dubbed Crossover, "is a proof-of-concept virus that shows how a virus can spread from a desktop computer to a Pocket PC. With the growing use of handheld devices, this type of virus may become very prevalent in the future."
The group noted that this malcode isn't actively in the wild. It's a proof of concept for educational purposes only. That said, the group warned that its appearance signals another shift in the threat landscape.
"This virus closes the gap between handhelds and desktops. Now its one big world open to all," the group said.
Read added, "For viruses to be more effective, they need to spread across a wider range of devices, including wireless devices. [AV organizations] have to be able to provide adequate protection to deal with these types of viruses."
A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.
"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis. "It was sent to MARA anonymously."
When executed, MARA said, the virus checks what the current OS is. If it is not Windows or mobile, "the virus makes a copy of itself and puts a startup command to the copy in the registry local-machine-current-version-run." The virus "then quietly waits for an ActiveSync connection to be detected. It can wait infinitely, and every time the desktop is rebooted the virus recreates itself and again adds new copies to the registry." Theoretically, MARA said, "you can have so many copies running on startup it could degrade or halt the PC's performance."
When an ActiveSync connection is detected, the virus copies itself to the handheld device and remotely executes the virus to start running on it, the analysis added. The virus is programmed to erase all files in the My Documents directory of the device. It then copies itself to the Windows directory and creates a shortcut to the copy in Windowsstartup. When the device is reset, MARA said, the shortcuts execute their target files.