At approximately 4:45 p.m. EST on July 16, 2004, Airscanner Corporation, along with other antivirus companies, received email from a previously unknown individual named Ratter/29A. Attached to the email, along with a brief explanation, was a file named Dust.zip. When extracted, this file contained three executable files:
PocketIRC.exe and TRE.exe were samples of infected executables; wince_dust.exe was a sample of the virus code only (that is, the parent virus). Apparently, this virus was released to antivirus companies as proof of concept and was created to demonstrate that a virus could be written for the Pocket PC environment.
WinCE4.Dust is an example of a classic virus, but it has overcome technical obstacles to become the first virus to infect Windows CE. It infects only existing .exe files already located in the root directory of the PDA. The virus doesn't spread via networking function or operate as a memory-resident process. Due to its method of self-replication (recursively appending itself to every file in the directory), and how it spreads (requiring an initial user action to spread), WinCE4.Dust meets all the criteria for a computer virus.
This is a low-risk virus. It was created with the sole intent of serving as a proof-of-concept program to demonstrate the possibility of viral activity on the Windows CE platform. In fact, hidden in the binary, the author gives this humorous message, "This is proof of concept code. Also, [I] wanted to make avers [antivirus researchers] happy. The situation when Pocket PC antiviruses detect only EICAR file [a harmless, standardized test file] had to end..."
The risk is low because the virus requires a user to permit it to spread to other files. In addition, the infection process targets only files located in the root directory of the PDA, which limits the number of potentially infected programs.
When executed, the virus only scans for and infects other non-infected .exe files in the root folder. It skips any file that has already been infected (marked within the file by the tag line ATAR.) It doesn't damage the PDA or any other file on the device. Therefore, WinCE4.Dust is not a serious threat to infected PDAs. It's remarkable in that it demonstrates the first working method by which a virus can infect files on a Windows Mobile device.
If an infected file is viewed with a hex editor, the following messages appear near the end of the file:
This code arose from the dust of Permutation City This is proof of concept code. Also, i wanted to make avers happy. The situation when Pocket PC antiviruses detect only EICAR file had to end ...
When the virus is executed, either via an infected executable or via wince_dust.exe, it creates a list of coredll.dll functions in memory, which are then used for function calls during the rest of the virus' execution. Once this list is placed in memory, the virus displays the message shown in Figure 2.
Figure 2 WinCE4.Dust asking user permission to spread.
If the user selects No, a condition flag is set in the process that forces the virus code to calculate the infected program's real start address, which is then executed.
If the user selects Yes, the virus sets aside some space in memory and then locates the first .exe file in the root directory. If this function returns a filename, it checks whether the file is greater than 4,096 bytes; if so, it starts the infection routine.
First the virus checks to be sure that the file is writeable, which would not be the case if the file is currently in use. Then it passes through several checks to verify that the file is a true .exe, and to make sure that it wasn't already infected. If the file has been infected, it will be marked with the word ATAR at the offset 0x11C. Without this check, the virus would keep re-infecting files over and over until the device ran out of memory. If the target .exe passes the checks, the viral code is appended to the target file, which increases the file size by 1,536 bytes. Finally, the PE header is altered to point the processor to the newly appended virus code when the infected file is executed and to write in the ATAR tag.
Once the virus code has determined that there are no more uninfected .exe files, it calculates the correct starting address for the executing file and redirects the process to this point. The infected program then operates as normal.