Antivirus researchers have discovered the first bug to target Microsoft's Pocket PC, and suspect it's the handiwork of the group behind such other proof-of-concept viruses as Cabir and Rugrat.
Russian-based antivirus firm Kaspersky Labs said Duts was created by Ratter, the pseudonym of a virus writer who is an active member of the international group 29A. The group is famous for its proof-of-concept viruses, like the mobile phone-targeting Cabir and Rugrat, the first known virus capable of attacking 64-bit Windows files. Cabir was launched in June; Rugrat in May.
"Duts… demonstrates that Windows Mobile is vulnerable to infection," Eugene Kaspersky, head of antivirus research at Kaspersky Labs, said on the company's Web site. "Our tests show that the virus can propagate effectively in such an environment. However, we don't expect a major outbreak. Duts is unable to spread independently, only infects a limited number of files, and signals its presence in the system when attempting to propagate."
Still, he added, "the events of the past month are really disturbing. The computer underground has pounced on the new opportunities offered by mobile devices. And now malicious programs are evolving in yet another direction, bringing the first global outbreak caused by a mobile virus closer and closer."
Carole Theriault, security consultant for Lynnfield, Mass.-based antivirus firm Sophos, agreed. Though she said on the company Web site that users are "more likely
F-Secure Corp. of Helsinki, Finland, said unlike Cabir, Duts is a traditional parasitic virus that infects other programs in the Pocket PC personal digital assistant (PDA) and spreads from one PDA to another when people exchange programs; by beaming a game, for example.
Duts is 1,520 bytes in size, Kaspersky said. It can penetrate mobile devices through e-mail or the Internet, through removable memory via synchronization with a PC or using Bluetooth technology.
If the user clicks yes, Duts penetrates all executable files larger than 4KB located in "My Device," the root directory. When infecting, the virus writes itself to the end of the file and modifies the entry point. An empty header field will then be flagged with the text "atar" to prevent re-infection of already infected files.
According to Sophos, Duts requires users to deliberately send it to other Pocket PC PDA owners. If the infected file is run it displays a message:
"WinCE4.Dust by Ratter/29A"
"Dear User, am I allowed to spread?"
The virus contains two messages:
"This is proof of concept code. Also, i wanted to make avers happy. The situation when Pocket PC antiviruses detect only EICAR file had to end ..." and, "This code arose from the dust of Permutation City."
Noting that "Permutation City" is a novel by science fiction author Greg Egan -- set in the year 2050 and featuring a character obsessed with artificial life who generates computer personalities (known as "Copies") within a virtual world -- Theriault said, "If Ratter is ever investigated by the authorities, it seems likely that he will prove to be a sci-fi fanatic."