'Crossover' malcode could jump from PC to handheld

By Bill Brenner, Senior News Writer 27 Feb 2006 | SearchSecurity.com

News on networking, mobility and voice Digg This!     StumbleUpon     Del.icio.us

New proof-of-concept malcode designed to spread from desktop computers to wireless mobile devices has been discovered, according to the Mobile Malware Researchers Association (MARA).

Jonathan Read, a New Zealand-based CISSP and member of MARA -- a group formed last year to find and raise awareness regarding mobile device threats -- said in an e-mail Sunday that the malcode, dubbed Crossover, "is a proof-of-concept virus that shows how a virus can spread from a desktop computer to a Pocket PC. With the growing use of handheld devices, this type of virus may become very prevalent in the future."

The group noted that this malcode isn't actively in the wild. It's a proof of concept for educational purposes only. That said, the group warned that its appearance signals another shift in the threat landscape.

"This virus closes the gap between handhelds and desktops. Now its one big world open to all," the group said.

Read added, "For viruses to be more effective, they need to spread across a wider range of devices, including wireless devices. [AV organizations] have to be able to provide adequate protection to deal with these types of viruses."

A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.

"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis. "It was sent to MARA anonymously."

When executed, MARA said, the virus checks what the current OS is. If it is not Windows or mobile, "the virus makes a copy of itself and puts a startup command to the copy in the registry local-machine-current-version-run." The virus "then quietly waits for an ActiveSync connection to be detected. It can wait infinitely, and every time the desktop is rebooted the virus recreates itself and again adds new copies to the registry." Theoretically, MARA said, "you can have so many copies running on startup it could degrade or halt the PC's performance."

When an ActiveSync connection is detected, the virus copies itself to the handheld device and remotely executes the virus to start running on it, the analysis added. The virus is programmed to erase all files in the My Documents directory of the device. It then copies itself to the Windows directory and creates a shortcut to the copy in Windowsstartup. When the device is reset, MARA said, the shortcuts execute their target files.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary