Following the blog entry by the colleagues at AVERT and subsequent media attention I decided to investigate reports about a new worm for Windows Mobile and Windows Smartphone platforms. The worm is packaged together with a number of legitimate mini-games such as Mahjongg and a version of Tetris, with just enough social engineering to entice unsuspecting user into installing the package on their device.
Apart from the usual warning about the fact that the package is not signed and therefore should not be trusted, there are no other obvious signs that the package is malicious. The warning is generally ignored by most of the users with no bad consequences, except that with this package they will get more than they bargained for. One of the files in the package, 000Setup.017 is clearly malicious, with a functionality to copy itself to any inserted flash card and more. We decided to detect this worm as WCE/Meiti-A. During the installation the file is copied to mservice.exe in the Windows folder of the device and the mservice.exe file is launched.
Additional games are indeed installed in the usual Games folder but this is where the fun stops.
Although I have looked at some previous examples of Windows Mobile malware I would not say that I am the greatest expert in Windows executable analysis for ARM. However, with the help of IDA, the disassembly is similar to disassembly of any other Windows executable. Thanks to WIn32 API, majority of the used functions are similar.
Unfortunately, my time for the analysis was quite limited so I am fairly sure I have missed something interesting. The execution of the worm starts with lowering the security settings so that the device does not complain about the fact that programs are not signed. This is done through a simple registry write, just like on any desktop version of Windows. Depending on the file name another file, mservice2.exe may be created, possibly indicating that the file contains self-updating capability. The next stage, common with desktop malware as well, is to ensure that mservice.exe is started every time the device is powered on. WCE/Meiti-A does this by creating a shortcut in the Windows Startup folder mservice.lnk.
Handlers for various events, such as flash memory card insertion and connection of device to network are created. If a new memory card is created, mservice.exe will created a copy of itself in the folder \2577\ with the file name autorun.exe. This ensures that the file runs every time the memory card is inserted into the device, or indeed any other WIndows mobile device. The folder name 2577 indicates the model of the processor. This is the model number used by Windows for any ARM4 or later compatible CPUs. This mechanism for automatic startup is well documented in MSDN library.
The handler that detects network connectivity (quite possible for GPRS networks as well) simply triggers uploading of potentially confidential information about the user and the device status to the attacker's website. Suspiciously, code for sending SMS messages also exists, although from static analysis it is not easy to see the number used as the destination of the message. More work is needed tomorrow. The HTTP protocol is used by several other subroutines in order to upload ZIP files created on the device.
Overall, this worm is very similar to many removable device worms we see for Windows desktop. It is fairly obvious that the worm was programmed by somebody with previous experience of software development for Windows Smartphone. The worm most probably originates in China, like so many other malware these days. It remains to be seen whether this sample will be a first indicator of increased effort into writing malware for Windows Mobile and Smartphone devices.