Home > Articles > Security > Network Security

Details Emerge on the First Windows Mobile Virus (Part 1 of 3)

  • Print
  • + Share This
This three-part series by Cyrus Peikari, Seth Fogie, and Ratter/29A discusses the development of viruses for the Windows Mobile platform. Part 1 describes the first, WinCE4.Dust.
Also see Part 2 of this series.
Like this article? We recommend

Like this article? We recommend

One of Microsoft's most important initiatives is the Windows Mobile platform. Windows Mobile is powered by Windows CE, which is a stable, efficient, truly multitasking operating system offering nothing less than a full, miniaturized version of Windows 2000. In short, it's a masterpiece. Unfortunately, Windows CE was designed without security. In addition, virus writers have created the first virus for Windows CE, known as WinCE4.Dust, as proof of concept.

What Is WinCE4.Dust?

WinCE4.Dust is the first known Windows CE virus to run on ARM-based devices running Windows Mobile Pocket PC. It was released to all major antivirus companies on July 16, 2004 by its author, Ratter, of the virus-writing group known as 29a (the hex equivalent of the number 666). This is a live, working proof-of-concept virus that infects all .exe files in the root directory of the Pocket PC device.

WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.

Several safety features are built into the virus to help prevent it from spreading in the wild. First, when executed, the virus asks the user if it's allowed to spread. Only if the user grants permission will it infect other files. Second, the virus infects only .exe files located in the root directory of the Pocket PC device. All other .exe files on the PDA are safe from infection.

When a user executes the file, she will be shown a dialog box (see Figure 1).

Figure 1Figure 1 Screen shot of WinCE4.Dust.

At this point, the virus will systematically infect all non-infected .exe files located in the root directory of the PDA. It's careful to skip currently executing files and won't re-infect previously infected files.

  • + Share This
  • 🔖 Save To Your Account