WinCE/Brador.A!tr - Released Aug 05, 2004
|
Alias/esBackdoor.Brador.A, WinCE/BackDoor-CHK, WinCE/Brador.A!tr, WINCE_BRADOR.A |
Detection Availability
|
Visible Symptoms
- Creation of file "svchost.exe" into the
C:\Windows\Startup path for Windows CE handhelds
- An open connection with TCP port 2989
|
Detailed Analysis
Specifics
This Trojan is a proof-of-concept for Windows CE handheld
devices. The Trojan is 5,632 bytes in size and was coded
using general Assembler for ARM processors.
The Trojan contains instructions to send a short note
in this format -
From: br@mail.ru
To: brokensword@ukr.net
The note is sent as a notification message that the
handheld device is compromised, and it mentions the
IP address of the hand-held device.
The Trojan will bind with TCP port 2989 and await instructions
from a malicious user.
Loading at Windows Startup
When the Trojan is run on a Windows CE hand-held device,
it may copy itself to the folder 'c:\windows\startup\'.
Having any file in this folder will automatically run
that file.
|
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
|
