Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


First Pocket PC Worm - "Win CE4 Dust"

  • Please log in to reply
1 reply to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:01:04 AM

Posted 17 July 2004 - 03:47 PM

First Pocket PC Worm - "Win CE4 Dust"

This detection is for a proof of concept file virus written for the PocketPC platform. The virus bears the following characteristics:

* it is coded for ARM CPUs.
* it is a parsitic file infector, appending itself to host files upon infection.
* This is a proof of concept, and is not expected to pose any threat in the wild.
* Infected files increase in size 1,520 bytes.
* Upon infecting a machine, the virus prompts the user as follows, before infection of other files occurs:

Dear User, am I allowed to spread?
The virus also contains other messages in its body:
This code arose from the dust of Permutation City
This is proof of concept code. Also i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR had to end ...


Called WinCE4.Dust, "it infects pocket pc's PE files (ARM) in root (My Device) directory", as the virus author himself noted in a message addressed, probably, to most antivirus laboratories. The virus author, by his nickname Ratter, is part of the famous 29A VX group and created this virus "not meant to spread", just as "a proof of concept code". In order to run, the virus needs a mobile compatible device running Microsoft Windows CE operating system. The virus displays a message box, asking for user's permission to spread to other files. Since Microsoft do not offer hotfixes for Pocket PC and only offer Service Packs through OEM channels, how will this effect end users in the next coming months/years?

BC AdBot (Login to Remove)


#2 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:11:04 PM

Posted 18 July 2004 - 08:33 AM

Kaspersky Labs has a news release out about this also:

Curious to me that Ratter, the virus author, calls it Dust but all the AV companies call it Duts .

Attached Files

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users