First Windows CE Virus Surfaces

The "proof-of-concept" WinCE4.Dust Virus works only on ARM hardware and performs simple file infection.

The first known virus for the Windows CE operating system has been developed and sent to anti-virus companies.

The virus, known as WinCE4.Dust, does no direct damage to the system. When its executed, according to descriptions from several anti-virus companies, it asks, "Dear User, am I allowed to spread?" Symantec notes that if the user responds affirmatively, "it will attempt to append itself to all non-infected EXE files in the directory which it is currently running." F-Secures analysis of the virus indicates that it only infects files larger than 4,096 bytes.

A variety of spellings of the virus name are being used, including "Dust," "Duts" and "Dtus." A screen shot of a file dump of a portion of the virus in F-Secures analysis shows the quote "This code arose from the dust of Permutation City" embedded in the virus.

28571.gif

The analysis declares this to be the origin of the virus name, but then goes on to call it both Duts and Dtus. The virus also contains this string: "This is proof of concept code. Also, i wanted to make avers happy. The situation when Pocket PC antiviruses detect only EICAR file had to end ..."

The first report of the virus came from BitDefender, whose Lab Director Viorel Canja said: "This is a common excuse for virus writers, to pretend that they create viruses in order to make avers [anti-virus producers] happy. Making viruses doesnt make anyones life happier, as its making it harder and harder to live for the ordinary user."

28571.gif

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

Similar proofs of concept for new platforms have emerged in the past, but they were not necessarily followed by actual attacks. Just last month a conceptual virus for cell phones running the Symbian operating system was developed.

28571.gif

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

77042.gif

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page