This Trojan is a proof-of-concept for Windows CE handheld devices. The Trojan is 5,632 bytes in size and was coded using general Assembler for ARM processors.

The Trojan contains instructions to send a short note in this format -


The note is sent as a notification message that the handheld device is compromised, and it mentions the IP address of the hand-held device.
The Trojan will bind with TCP port 2989 and await instructions from a malicious user.

Loading at Windows Startup
When the Trojan is run on a Windows CE hand-held device, it may copy itself to the folder 'c:\windows\startup\'. Having any file in this folder will automatically run that file.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option