The first backdoor Trojan horse designed to attack Pocket PC running the WindowsCE operating system has been detected in the wild and is spreading among Pocket PC users. However as with all Trojan horses, this one doesn't spread on its own, so PDA users are being enticed to open the malicious application that arrives as an email attachment.

Brador is a classic Trojan backdoor program: it opens the infected machine for remote administration. Brador is 5632 bytes in size.

When Backdoor.Brador.A is launched, it performs the following actions:

1) Copies itself to Windows/StartUp/Svchost.exe (5632 bytes) so that it starts when Windows starts.

2) Continually attempts to send the attacker the IP address of the handheld by email until it succeeds.

3) Opens TCP port 2989 and waits for further instructions from the attacker.

Allows the attacker to remotely perform the following commands:

Brador is created to allow the malicious code writer full control over the infected PDA via the port that the Trojan opens. Brador is programmed to upload and download files and execute a series of further commands.

"WinCE.Brador.a is a full-scale malicious program ready to go: Brador has a complete set of destructive functions typical for backdoors." commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs

According to information received by the Kaspersky Virus Lab, Brador was probably written by a Russian virus coder. The Trojan was attached to an email with a Russian sender address and Russian text inside.

Interestingly enough, the author is offering to sell the client part for the Trojan to all interested parties, which means that there is a real chance that the backdoor may be bought by somebody who will use it commercially (bot network creation, for instance). Virus writers are turning professional with a vengeance.

"PDA users face a real danger and we can be sure that the computer underground will snatch at the chance to attack PDAs and mobile phones in the nearest future," added Eugene Kaspersky, "malware development for mobiles is passing through the same stages as malware for desktops: we will probably see a serious outbreak of viruses for handhelds sometime soon."

For systems infected with the Brador virus, antivirus vendor Symantec recommends deleting the /Windows/Startup/svchost.exe file in the Windows CE operating system and completely reinstalling the OS and all applications.