Recently, we at Avert Labs received word of a new Windows CE/Mobile polymorphic, companion virus. This was a bit odd since companion viruses used to be more popular in the days of DOS and we haven’t seen too many on newer platforms.
Unlike more standard file infecting viruses, companion viruses do not infect program files but instead pretend to be the original files. A companion virus will rename a clean file to a hidden or random name and rename itself to the clean file’s name. The result is that the user runs the virus when intending to run the original program. To avoid raising suspicion, the original is run once the virus is done executing. There may not be a noticeable delay before the original program runs.
While the companion technique was used quite often by less complex viruses, this one also uses basic encryption to evade detection. The decryption code of the virus is polymorphic with a handful of random code blocks. There may also be defects in portions of the virus.
The appearance of this new virus for Windows Mobile phones may mark a change from for-profit trojans and spyware to the more experimental form of viruses. Or maybe WinCE malware authors are just tired of other mobile platforms getting all the attention.
November 16th, 2008 at 8:47 am
[…] The latest wave is a Windows CE/Mobile polymorphic “companion” virus, according to McAfee Avert Labs Blog. […]
November 19th, 2008 at 10:31 am
[…] examined the virus and are surprised to find this particular infection technique still being used. Researcher Jimmy Shah had this to say: This was a bit odd since companion viruses used to be more popular in the days of […]
November 20th, 2008 at 6:02 am
[…] examined the virus and are surprised to find this particular infection technique still being used. Researcher Jimmy Shah had this to say: This was a bit odd since companion viruses used to be more popular in the days of […]