Selected viruses, spyware, and other threats: sorted alphabetically
WinCE.Brador.A |
| Aliases: | Backdoor.Brador.A, Troj/Brador-A, Brador, WinCE/BackDoor-CHK, Backdoor.WinCE.Brador.a |
| Type: | Backdoor Trojan |
| Affect: | Windows CE based devices, such as pocket pc's, with ARM / XScale processor, Windows Mobile 2000, 2002, 2003, 2003 SE and WM 5 |
Upon execution, WinCE.Brador.A copies itself into the "\Windows\StartUp" folder as "svchost.exe" to make sure that it runs every time windows is started. This threat does not delete the origin file after successful copy process.
WinCE/Brador.A opens the port 2989 (TCP/IP) and listens there for incoming commands from the attacker. Brador can perform several actions on the compromised device such as transferring files to and from the device, starting executables, displaying a custom messagebox with the title "Hi", sending directory contents to the attacker and exiting the backdoor by closing its connection. For all this functionality the small text passage "dgrpmf" which is visible in the backdoor binary is responsible. Every char is a command - "d" stands for Download, "r" for Run/Execute, "m" for MessageBox, "p" for uploading a file and so on. All file-transfer actions are done in 1024 Byte (1KB) chunks. This is necessary because GPRS connections from Pocket PC Phone Edition are not very fast.
The backdoor tries to send a notification email to brokensword@ukr.net, the author of this backdoor. This email contains the IP address of the compromised system. The senders email is displayed as br@mail.ru. For this purpose it connects to an smtp relay smtp.mail.ru.
The backdoor does modify bytes in its own binary, for instance the file-handle bytes are modified after the first start of this backdoor on a Windows CE device. Therefore the binary of the backdoor will look slightly different from the original backdoor version. WinCE/Brador.A was fully written in Assembly for Pocket PC.
Removal Instructions
Removal of this threat is very easy, just navigate the windows ce file explorer into the windows startup folder and delete this file after terminating the svchost.exe process with
a memory manager.
History: Analysis and Write-up by: Michael St. Neitzel
© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
