Symantec Security Response: Backdoor.Bardor.A
Today, Symantec Security Response discovered the first Windows CE (Pocket PC) backdoor Trojan -- Backdoor.Bardor.A.
Once installed, the backdoor allows full control of the handheld system when it is restarted.
When the infected handheld is connected to the Internet, the backdoor sends the attacker the IP address of the handheld
device. It then opens port 44299 and waits for further instructions from the attacker.
The backdoor only affects ARM CPU based Pocket PC devices. ARM CPU's are high-speed processors that are widely used in
PDAs and other handheld devices because of their small size and low power requirements.
At this time, Symantec is categorizing the threat as a Level 1 threat. Threat Levels range from 1 to 5, 5 being the most
severe.
"Backdoor server and Trojan horse programs often use enticing file names to trick users into executing them," said
Oliver Friedrichs, senior manager, Symantec Security Response. "Users should not open or execute files from unknown
sources."
Symantec's security experts recommend that compromised systems be completely reinstalled because of the ability of the
remote user to perform so many different actions on the server system, including installation of applications.
Additionally, users should delete the file /Windows/StartUp/svchost.exe.
ENDS