Malware type: Backdoor

Aliases: Backdoor.WinCE.Brador.a (Kaspersky), WinCE/BackDoor-CHK (McAfee), Backdoor.Brador.A (Symantec), BDS/WinCE.Brador.A (Avira), Troj/Brador-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows CE

Encrypted: No

Description: 

This is the detection for the server component of WINCE_BRADOR.A. This backdoor program allows its client component to control an infected system, which is a Pocket PC with the ARM architecture running Windows CE. It is the first backdoor known to run on the Windows CE platform.

It arrives on a Pocket PC system when it is manually sent via email, Bluetooth, Infrared, or any connection of the Pocket PC to any Windows CE device. Upon execution, it attempts to create a copy of itself as the file SVCHOST.EXE in the following folder:

<Root folder>\Windows\Startup

This enables its automatic execution at every system startup. It can actually be seen using File Explorer, as follows:

Once installed in the system, it starts an SMTP connection via Port 25 by sending the IP address of the infected system to the email address specified by the malware author. This email notification contains the following details:

From: br@mail.ru
To: brokensword@ukr.net
Message body:
<IP address of the infected system>

After is sends out the notification, it then opens TCP port 2989, or 0xBAD in hexadecimal, and waits for commands coming from this backdoor's client component.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 5, 2004 10:15:13 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.