NEWS FROM THE LAB - Saturday, July 17, 2004

More on the first PocketPC virus Posted by Mikko @ 09:49 GMT

The first PocketPC virus is now known as WinCE.Duts.1520.

This case is very similar to the Symbian Cabir worm which was found a month ago.

This is a new proof-of-concept virus. It has not been found in the wild. It's been written by a member of the 29A virus-writing group. The worm is not known to be spreading in the wild at all. It will be never become a problem in the real world.

Unlike Cabir, Duts is a traditional parasitic virus. It infects other programs in the PocketPC PDA, and spreads from one PDA to another when people exchange programs (for example, by beaming a game).

When an infected file is executed the virus asks for permission to infect:

Dust question

When granted the permission, Duts attempts to infect all EXE files in the current directory.

Duts contains two messages that are not displayed:

One is a reference to the science-fiction book Permutation City by Greg Egan, where the virus got its intended name from:


As usual, virus writers don't get to name their viruses - we do. So we named it Duts instead of Dust.

The other message is:

 This is proof of concept code. Also, i wanted to make avers happy.
 The situation when Pocket PC antiviruses detect only EICAR file had to end ....

Do note that this virus would also be capable of infecting mobile phones running ARM-based version of PocketPC.

F-Secure have shipped an update for F-Secure Anti-virus for PocketPC to detect WinCE.Duts.1520.

Read eWeek's editorial on the issue.