Discovered: August 05, 2004
Updated: August 05, 2004 6:22:01 PM
Systems Affected: Windows
Backdoor.Brador.A is the first Windows CE (Pocket PC) back door. The back door sends the IP address of the infected handheld to the attacker.
Backdoor.Brador.A is the first Windows CE (Pocket PC) back door. The back door sends the IP address of the infected handheld to the attacker. It only affects ARM-based devices.
When the back door is launched, it creates the file /Windows/StartUp/svchost.exe (5632 bytes). This allows it to gain full control of the handheld when it is restarted.
When the infected handheld is connected to the Internet, the back door attempts to connect to a mail server and send an email, containing the IP address of the handheld, to an address at the domain, ukr.net.
Next, the back door opens port 2989/tcp and waits for further instructions from the attacker.
The back door allows the attacker to issue the following commands:
d - list the directory contents
f - close the session
g - upload a file
m - display a message box
p - download a file
r - execute the specified command