Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

WINCE_BRADOR.A

Malware type: Backdoor

Aliases: Backdoor.WinCE.Brador.a (Kaspersky), WinCE/BackDoor-CHK (McAfee), Backdoor.Brador.A (Symantec), BDS/WinCE.Brador.A (Avira), Troj/Brador-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows CE

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This is the detection for the server component of WINCE_BRADOR.A. This backdoor program allows its client component to control an infected system, which is a Pocket PC with the ARM architecture running Windows CE. It is the first backdoor known to run on the Windows CE platform.

It arrives on a Pocket PC system when it is manually sent via email, Bluetooth, Infrared, or any connection of the Pocket PC to any Windows CE device. Upon execution, it attempts to create a copy of itself as the file SVCHOST.EXE in the following folder:

    <Root folder>\Windows\Startup

This enables its automatic execution at every system startup. It can actually be seen using File Explorer, as follows:

Once installed in the system, it starts an SMTP connection via Port 25 by sending the IP address of the infected system to the email address specified by the malware author. This email notification contains the following details:

From: br@mail.ru
To: brokensword@ukr.net
Message body:
<IP address of the infected system>

After is sends out the notification, it then opens TCP port 2989, or 0xBAD in hexadecimal, and waits for commands coming from this backdoor's client component.

For additional information about this threat, see:

Description created: Aug. 5, 2004 10:15:13 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 5,632 Bytes

Initial samples received on: Aug 5, 2004

Payload 1: Compromises system security

Details:

Installation and Autostart Technique

This is the detection for the server component of WINCE_BRADOR.A. This backdoor program allows its client component to control an infected system, which is a Pocket PC with the ARM architecture running Windows CE. It is the first backdoor known to run on the Windows CE platform.

It arrives on a Pocket PC system when it is manually sent via email, Bluetooth, Infrared, or any connection of the Pocket PC to any Windows CE device.

Upon execution, it attempts to create a copy of itself as the file SVCHOST.EXE in the following folder:

    <Root folder>\Windows\Startup

All files located in this folder automatically runs at every system startup. If the said file already exists, it proceeds initiating its connection with the client component. It can actually be seen using File Explorer, as follows:

This backdoor program makes use of a different approach when dropping a copy of itself in the \Windows\Startup folder. This approach was intended by the malware author since Pocket PCs are memory-based systems that make a running program inaccessible.

The said approach proceeds by initially creating the file SVCHOST.EXE without any data. It is then manually built-up by chunks of 1024 bytes. An exact copy of the first 1024-byte chunk of the MZ header is embedded in the malware file where it first writes this embedded chunk and then writes the rest of the malware file afterwards.

The dropped copy would actually look slightly different due to modified data, such as file handles and socket handles, which apparently are also copied from the memory during this process.

Backdoor Capabilities

This backdoor program is the server component of a backdoor package. Its client component can control the infected system once a connection is established.

Once installed in the system, it starts an SMTP connection via Port 25 by sending the IP address of the infected system to the email address specified by the malware author. This email notification contains the following details:

From: br@mail.ru
To: brokensword@ukr.net
Message body:
<IP address of the infected system>

After is sends out the notification, it then opens TCP port 2989, or 0xBAD in hexadecimal. Once it successfully achieves a connection, the server component responds by sending the following text string:

Connection established

It then waits for commands coming from the client component. The commands are simply letters and each letter corresponds to a certain command:

  • d - lists the files in a folder
  • g - uploads a file
  • r - runs a program or an operating system command
  • p - downloads a file
  • m - displays a message box
  • f - closes the established connection and sends the following text string to the client component:

    Connection closed

However, even after closing the session, this backdoor still remains running in memory due to an endless loop.

Other Details

The email addresses where this backdoor programs sends its notifications points to Russian domains.

 
 
 

Analysis by: Reginald Wong and Imelda Yap


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 1.952.09

Pattern release date: Aug 5, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Removing the Malware from the Startup Folder

Malware programs running in Pocket PC devices cannot easily be deleted. The following procedure should help tackle this deleting problem.

  1. Using the File Explorer, from your root folder, go to the folder:
    \Windows\Startup
  2. Locate and cut the file svchost.exe, as illustrated below:
  3. Go to a different folder, for example the root folder, then paste the cut file:

Restarting System

Restarting your Pocket PC device would prevent the malware from running during startup. After restarting, you can now delete the malware file.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WINCE_BRADOR.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on