This is a Windows CE (also known as Pocket PC) specific threat. This virus is little more than a proof-of-concept virus, a proof that a virus could infect the Windows CE platform.

This virus seeks to infect files which are not already infected. Infected files are marked by the virus with a byte string inserted into the file header - the hex byte string is 61 74 61 72 which translates to 'atar'.

The virus attempts to infect .EXE files on the host system, and in the root folder. WinCE/Duts infects files by appending its code, and modifying the entry point to run the appended code.

This virus contains these text strings in the virus body -

  • This code arose from the dust of Permutation City
  • WinCE4.Dust by Ratter/29A
    Dear User, am I allowed to spread?
  • This is proof of concept code. Also, i wanted to make avers happy.The situation when Pocket PC antiviruses detect only EICAR file had to end ...

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option