The Mobile Malware Researchers Association (MARA) has found what is believed to be the first malware to cross-infect a handheld PDA from a binary on the desktop PC.
The malware, a Trojan dubbed “crossover”, spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.
Detailed analysis and the malware binary are available to antivirus companies and security experts who qualify for MARA membership, which is free.
This proof of concept virus spreads from a desktop PC to a Windows CE or Windows Mobile device by running on every startup through an entry in the the registry, proceeding to wait for an Activesync connection to be detected. In every boot the virus recreates itself and again add new startup commands to the registry, which could over time lead to performance degradation on the host PC.
When an ActiveSync connection is detected the virus copies itself to the mobile device and starts executing on the PDA. It will erase all files in the \My Documents directory of the device, copy itself to the \Windows directory, and creates a shortcut to the copy in \Windows\startup.
The crossover virus was written in C# (C Sharp) using Visual Studio .NET 2003, and the Communications Library of openNETCF.org.
It should run on any Windows handheld device running Windows CE or Windows Mobile and .NET Compact Framework 1.1.
