Trend Micro Virus Alert: WORM_CXOVER.A

WORM_CXOVER.A is a destructive, proof-of-concept, cross-platform worm that affects desktop computers and mobile devices running the .NET Framework. This framework is commonly installed with Windows XP, Windows Server 2003, and mobile devices running Windows CE or Mobile Edition. (Note: On affected mobile devices running Windows CE or Mobile Edition, this worm is detected as WINCE_CXOVER.A.) This worm is currently spreading in-the-wild.

This worm uses a built-in functionality of the .NET Framework to obtain the string associated with the operating system version where it is currently running. It checks whether the substrings CE and mobile exist in the string. If found, this worm then executes its code for the mobile platform. Otherwise, it executes the code for the desktop computer.

This worm propagates from the infected desktop to the target mobile device via the Microsoft Windows? ActiveSync program. It creates a registry entry that enables it to automatically execute at every system startup. It attempts to connect to an attached mobile device, and once a connection is established, it attempts to create a copy of itself. However, the function used by this worm does not allow the creation of the copy if the Windows folder does not exist in the attached mobile device, or a file using the same file name already exists.

It attempts to copy and execute itself in the Windows folder of the attached mobile device. After successfully copying and executing itself in this location, it disconnects the attached device from the infected desktop. It also checks whether the string associated with the running operating system version contains the substring 3.0. If found, this worm attempts to delete the registry key associated with the affected mobile device. However, since the mobile device has already been disconnected from the infected desktop, this worm is unable to perform this routine.

When executed in the mobile environment, this worm deletes all files in the folder and subfolders of the My Documents folder. It then attempts to create a copy of itself in the Windows folder of the mobile device.

This worm contains the following internal string:
the crossover virus - poc - by Dr. Jul{BLOCKED}rm - The great walls of China that separated the domains between wired and wireless, desktop and handhelds have been reduce to ruble. Vxers are entering a new era of greater vx possibilities with the chance of reaching more systems around the world than ever before. The viruses of the past are nothing compared to what the future holds. 2006 marks the establishment of a New Cyberworld Order with vxers around the world united at the forefront. The time is now to prepare and defend, are you ready?

If you would like to scan your computer for WORM_CXOVER.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

For additional information about the WORM_CXOVER.A please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_CXOVER.A