The first backdoor Trojan horse designed to attack
Pocket PC running the WindowsCE operating system has been detected
in the wild and is spreading among Pocket PC users. However as
with all Trojan horses, this one doesn't spread on its own, so
PDA users are being enticed to open the malicious application
that arrives as an email attachment.
Brador is a classic Trojan backdoor program: it opens the infected
machine for remote administration. Brador is 5632 bytes in size.
When Backdoor.Brador.A is launched, it performs the following
actions:
1) Copies itself to Windows/StartUp/Svchost.exe (5632 bytes)
so that it starts when Windows starts.
2) Continually attempts to send the attacker the IP address of
the handheld by email until it succeeds.
3) Opens TCP port 2989 and waits for further instructions from
the attacker.
Allows the attacker to remotely perform the following commands:
Brador is created to allow the malicious code writer full control
over the infected PDA via the port that the Trojan opens. Brador
is programmed to upload and download files and execute a series
of further commands.
"WinCE.Brador.a is a full-scale malicious program ready
to go: Brador has a complete set of destructive functions typical
for backdoors." commented Eugene Kaspersky, Head of Anti-Virus
Research at Kaspersky Labs
According to information received by the Kaspersky Virus Lab,
Brador was probably written by a Russian virus coder. The Trojan
was attached to an email with a Russian sender address and Russian
text inside.
Interestingly enough, the author is offering to sell the client
part for the Trojan to all interested parties, which means that
there is a real chance that the backdoor may be bought by somebody
who will use it commercially (bot network creation, for instance).
Virus writers are turning professional with a vengeance.
"PDA users face a real danger and we can be sure that the
computer underground will snatch at the chance to attack PDAs
and mobile phones in the nearest future," added Eugene Kaspersky,
"malware development for mobiles is passing through the same
stages as malware for desktops: we will probably see a serious
outbreak of viruses for handhelds sometime soon."
For systems infected with the Brador virus, antivirus vendor
Symantec recommends deleting the /Windows/Startup/svchost.exe
file in the Windows CE operating system and completely reinstalling
the OS and all applications.