Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: Duts.1520, WinCE/Duts.1520, WinCE.Duts.A, WINCE_DUTS.A, Virus.WinCE.Duts.a
Type: Virus
Affect: WinCE and Windows Mobile 5 on ARM/XScale based systems.

WinCE/Dust.1536 is a simple, non-memory resident parasitic Windows CE file infector that affects ARM/XScale based microprocessors. This affects for instance Pocket PC 2000, 2002, 2003, 2003 SE and Windows Mobile 5.

Upon execution of a WinCE/Dust.1536 infected file the virus politely asks for permission to infect other files with a message box titled "WinCE4.Dust by Ratter/29A" and the text "Dear User, am I allowed to spread?" The virus writer "Ratter" from the 29A virus writing group lives in Czech Republic and is well known for writing so called proof-of-concept viruses such as Cabir.

If the user answers this question with "No" the virus passes control to the infected host file without trying to infect other executables.

Note: The virus remains in the executable file after pressing "No", meaning this Message box will be displayed any time the infected file is run.

The virus determines the file size of all WinCE executables in the Device Root folder and infects those files which are larger than 4096 Bytes and which are not already infected with this virus. The virus uses the infection marker "atar" in the PE header to mark already infected files so as to avoid multiply infection.

The virus modifies the last section of the PE file: It enlarges it with 1536 bytes and marks it read/executable. After that the virus places its own code at the end of every file and changes the entry point to ensure the viral code will run first prior to passing control to the intended program. All infected executable files will grow by 1536 bytes.

The virus code contains three sentences around which are never displayed:

This is proof of concept code. Also, i wanted to make avers happy.
The situation when Pocket PC antiviruses detect only EICAR file had to end ...
This code arose from the dust of Permutation City.

The virus doesn't have any payload functionality and was entire written in assembly language
for arm processors using the freely available ARMASM kit. It was the first parasitic file infector virus for the windows CE platform.

History: Analysis and Write-up by: Michael St. Neitzel