Mystery Surrounds PC-to-PDA Virus

A mystery is deepening around a report about the emergence of a virus that can pass from a PC to a mobile device, with some antivirus vendors saying they have not seen the code to confirm it.

The Mobile Antivirus Researchers Association (MARA) said Monday it anonymously received the code, named "Crossover." Microsoft, whose software the virus reportedly affects, said Wednesday it is investigating the reports but has not heard of any customer complaints.

MARA officials were not immediately available to comment further.

Antivirus vendors said they will update their software to detect and remove the virus if they are allowed to analyze it. While vendors typically send virus samples to each other to update their products, MARA has not been forthcoming with a sample, said Graham Cluley, senior technology consultant for Sophos.

At the moment, the antivirus community only has MARA's word that the virus exists, Cluley said.

"We would still love to see a sample of this and determine if this is a potential threat to our customers," Cluley said. "It's a little bit disappointing that they are not sharing the sample."

The virus, MARA said, is the first one engineered to infect a Microsoft Windows desktop computer and then pass to a mobile device running the Windows CE or Mobile software, subsequently erasing files.

Proof-of-Concept

So far, the code remains proof-of-concept, a tag given to viruses that are created to illustrate how a vulnerability can be exploited but which are not generally released on the Internet.

But once the code is publicly released, malicious hackers may alter it. The aim is for the virus to spread rapidly before antivirus software is updated to detect and remove the malware.

The Crossover virus copies itself in the registry of a desktop computer. It waits for a mobile device to synchronize its data with a desktop machine using Microsoft's ActiveSync program, according to MARA's posting. The virus then erases files in the My Documents directory on the device.

Mikko Hypponen, chief research officer at F-Secure, said the security company can update its software to detect the virus within a couple of hours of having a sample. But the company has not seen the virus, he said.

Sophos contacted MARA by e-mail to request the virus. MARA responded with an e-mail attaching legal conditions to the release of the sample, but Sophos did not want to sign an agreement, Cluley said. Sophos has had concerns over white papers MARA has published that contained virus source code, he said. Further, it is customary for antivirus vendors to securely send each other malware samples within a few hours, Cluley said.

MARA said that the virus would be available to antivirus companies and security experts "who qualify for MARA membership, which is free." The terms of the membership are unclear from MARA's Web site, and representatives of the group could not be immediately contacted.

MARA, formed in 2005, describes itself as a "vendor-neutral group" dedicated to prevent the spread of malicious code. According to its code of conduct, MARA members are not supposed to exchange viruses except for research and not engage in computer crime, among several other rules.

If verified, the virus could mark the start of a new danger for mobile devices, whose increasingly complex operating systems can be vulnerable to malware.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon