Three weeks after the 29A virus group launched Duts, the first proof-of-concept virus for personal digital assistants (PDAs) running PocketPC, a new Trojan horse is targeting the handheld devices, according to Russian-based Kaspersky Labs.
WinCE.Brador-A was probably written by a Russian virus coder, said Eugene Kaspersky, head of antivirus research at Kaspersky Labs. The Trojan was attached to an e-mail with a Russian sender and Russian text inside. The author was offering to sell the client part of the Trojan to all interested parties, which means there's a real chance the backdoor will be bought by somebody who will use it commercially. It comes with the following text: "Get to work, folks, the PocketPC market will soon explode."
"We were certain that a functional malicious program for PDAs would appear soon after the first proof-of-concept viruses emerged for mobile phones and Windows Mobile," Kaspersky said in a statement. "WinCE.Brador-A is a full-scale malicious program ready to go. Unlike proof-of-concept malware, Brador has a complete set of destructive functions typical for backdoors. Moreover, the offer to sell the client part proves that today, virus writing is big business."
Brador is a classic Trojan backdoor program, opening the infected machine for remote exploitation. It is 5,632 bytes in size and infects handheld devices running Pocket PC. "After the backdoor is launched, it creates the svchost.exe file in the Windows auto run folder, thus maintaining full control over the system every time the handheld is turned on," Kaspersky said. It then "identifies the machine's IP address and sends it to the author, informing him that the handheld is in the Internet and the backdoor is active. Finally, Brador opens port 44299 and awaits further commands."
The Trojan allows the author full control over the infected PDA via the port that it opens. Brador is programmed to upload and download files and execute a series of further commands. Like all backdoors, Brador cannot spread by itself. It can only arrive as an e-mail attachment, be downloaded from the Internet or uploaded along with other data from a desktop, Kaspersky said.
"PDA users face a real danger and we can be sure that the computer underground will snatch at the chance to attack PDAs and mobile phones in the near future," Kaspersky said. "Malware development for mobiles is passing through the same stages as malware for desktops. We will probably see a serious outbreak of viruses for handhelds sometime soon."
Cupertino, Calif.-based Symantec Corp. categorizes Brador as a level-one threat. Symantec threat levels range from one to five; five being most severe.
"Backdoor server and Trojan horse programs often use enticing file names to trick users into executing them," Oliver Friedrichs, senior manager of Symantec Security Response, said in a statement. "Users should not open or execute files from unknown sources." Symantec's security experts recommend that compromised systems be completely reinstalled because of the ability of the remote user to perform so many different actions on the server system, including installation of applications. Additionally, users should delete the file /Windows/StartUp/svchost.exe.