This application requires Javascript for optimal performance.

WinCE/PMCryptic.A!worm - Released Nov 24, 2008 - Last Updated Jan 15, 2009

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following message is displayed:
    • "evU__cOW"

  • The following error message pops up:


    • Figure 1: Error Message

  • Text and background colors change:



    • Figure 2: Windows and Background color changed

  • Finally, text and background color change to black:



    • Figure 3: Text and background colo changed to black

    Detailed Analysis

    WinCE/PMCryptic.A!worm is a worm targeting Windows Mobile devices. Its goal is to spread to as many systems as possible via flash cards swapping, and to issue calls to a single non-toll free number (namely, "1860") from infected devices, possibly resulting in unexpectedly high bills for their owners.

    A noteworthy feature of this worm is that it is polymorphic: upon each replication, the new copy of the worm is a different file (with the same functionalities, however).


    Technical details
    Upon infecting a new device, the worm takes the following actions:
  • Displays the following message:
    • "evU__cOW"
  • Deletes itself from the current directory.

  • Any files or folder it created are marked as hidden

  • Drops the following files in the %WINDOWS% and Storage Card:
    • 2577\autorun.exe
    • 2577\[5 random characters].exe
    • [random folder].exe
    • [random folder]\[5 random characters].exe
    • [5 random characters].exe
  • May also drop the following files:
    • windows.exe
    • system.exe


      • Figure 4: windows.exe file with the hidden attribute


  • Changes the user interface colors

  • Dials the following number:
    • 1860

  • Other properties
    • Polymorphism is implemented in the form of a XOR operation with a 8-byte variable key. It has three different layers of encrypted data. For each layer, a new key is generated by an AND operation

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 635393