Backdoor.WinCE.Brador.a (Kaspersky Lab)
is also known as:
WinCE/BackDoor-CHK (McAfee), Backdoor.Brador.A (Symantec), BackDoor.Bra (Doctor Web), Troj/Brador-A (Sophos), Backdoor:WinCE/Brador.A (RAV), WINCE_BRADOR.A (Trend Micro), BDS/WinCE.Brador.A (H+BEDV), WinCE:Brador (ALWIL), WinCE/Brador.A (Grisoft), Backdoor.WinCE.Brador.A (SOFTWIN), Bck/WinCE.Brador.A (Panda), WinCE/Brador.A (Eset)
| Description added |
Aug 05 2004 |
| Behavior |
Backdoor |
Brador.a is a backdoor (a utility allowing for remote administration of the
infected machine) for PocketPC based on Windows CE and newer version of Windows
Mobile.
It is written in ASM for ARM-processors and is 5632 bytes in size.
After Brador is launched it creates an svchost.exe file in the /Windows/StartUp/
folder, thus gaining full control over the handheld every time it is restarted.
Brador identifies the IP address of the infected handheld and sends it to
the remote malicious user to inform him that the handheld is connected to the
Internet and that the backdoor is active. Brador then opens port 2989 and awaits
further orders.
The backdoor responds to the following commands:
|
d
|
- lists the directory contents
|
|
f
|
- closes the session
|
|
g
|
- uploads a file
|
|
m
|
- displays MessageBox
|
|
p
|
- downloads a file
|
|
r
|
- executes the specified command
|
