My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


5632 bytes, written in ARM assembly


Presence of the file svchost.exe in the WinCE startup folder (Windows\Startup)

Removal instructions:

Delete the infected file.

Analyzed By

Mihai Chiriac BitDefender Virus Researcher

Technical Description:

Although this is the first backdoor attacking the WinCE platform, it contains advanced features
such as listing folder contents, uploading and downloading of files, remote execution of files,

When run, the worm copies itself to the WinCE startup folder as svchost.exe; this way it will gain
on every system boot; then the backdoor attempts to initialize the Windows Socket interface
(the minimum version it accepts is 1.1) and, if successfull, it creates a socket and binds it to
port 2989 ("BAD" in ASCII).

Then it attempts to connect to port 25 (SMTP) of the server (which is a known
Russian mail server) and send informations to the author, using the address

For the mail sending routine, this backdoor uses its own implementation of a trivial SMTP client,
with no error-checking.

> Backdoor functions:

The worm accepts connections incoming on port 2989. The communication is rather simple: the attacker
sends a one-character command, the backdoor attempts tp find this character in a string and uses
the index to jump to a function (from a function table).

> Commands:

"d" : Enumerate files, and send to the author their names and sizes
"g" : Send a file to the attacker, in 1024-byte chunks
"r" : Execute a process (or command) on the infected host
"p" : Download a file from the attacker, in 1024-byte chunks
"m" : Displays a message box
"f" : Closes the communication port