This is a Windows CE (also known as Pocket PC) specific threat. This virus is little more than a proof-of-concept virus, a proof that a virus could infect the Windows CE platform.
This virus seeks to infect files which are not already infected. Infected files are marked by the virus with a byte string inserted into the file header - the hex byte string is 61 74 61 72 which translates to 'atar'.
The virus attempts to infect .EXE files on the host system, and in the root folder. WinCE/Duts infects files by appending its code, and modifying the entry point to run the appended code.
This virus contains these text strings in the virus body -
- This code arose from the dust of Permutation City
- WinCE4.Dust by Ratter/29A
Dear User, am I allowed to spread?
- This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ...
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option