Worm:WinCE/Mepos.A is a malicious program that affects mobile devices running the Windows CE operating system using ARM architecture. It has been observed in the wild, packaged with some popular game programs, using the filename 'smallgame.cab' hosted on Chinese web sites.
Installation
When run, WinCE/Mepos.A copies itself as \Windows\mservice.exe, then adds a link to itself, as mservice.lnk in the Windows startup folder to ensure it runs at the next Windows start.
Spreads Via…
Memory Flash Card
The worm monitors for device changes by using the "\\.\Notifications\NamedEvents\DeviceChangeEvent" event, and then attempts to spread further by copying itself as "<flash card>\2577\autorun.exe"
Payload
Lowers Security Settings
WinCE/Mepos.A alters the mobile device's security policy in order to disable the user prompt when installing unsigned applications. This is accomplished by making the following registry modification:
Modifies value: 0000101a
With data: 1
In subkey: HKEY_LOCAL_MACHINE\Security\Policies\Policies
Sends Data
The worm tries to connect to networks in range or through General Packet Radio Service (GPRS) to access the Internet. While connected, this worm may send data to a predefined Web site.
The worm may then attempt to send the following device data:
- OS version
- build number
- device's International Mobile Equipment Identity, or IMEI
- device type
- owner name
The worm may use the "\\.\Notifications\NamedEvents\Timer2Event" timer event to connect to messaging APIs and send SMS messages to various numbers.
Downloads and Executes Arbitrary Files
This worm may attempt to update itself by checking for a newer version from a predefined URL on the 'mobi.xiaomeiti.com' domain - if a newer version is found, it is downloaded and installed, using \windows\mservice2.exe as a temporary file.
Worm:WinCE/Mepos.A monitors for network connections and then executes a download routine to update components using the following event:
\\.\Notifications\NamedEvents\AppRunAtNetConnect
Worm:WinCE/Mepos.A may attempt to download additional programs as files named 'msw.zip', 'msa.zip', 'msf.zip' and 'mss.zip' from a predefined Web site.
In doing so, the worm may modify the following registry entries:
Modifies value: offlineurl
With data: %windir%\msw.zip
In subkey: HKEY_LOCAL_MACHINE\Windows\software\ms
Modifies value: popconfigurl
With data: %windir%\msa.zip
In subkey: HKEY_LOCAL_MACHINE\Windows\software\ms
Modifies value: Favoritesurl
With data: %windir%\msf.zip
In subkey: HKEY_LOCAL_MACHINE\Windows\software\ms
Modifies value: Mssurl
With data: %windir%\mss.zip
In subkey: HKEY_LOCAL_MACHINE\Windows\software\ms
Modifies Internet Explorer Settings
Worm:WinCE/Mepos.A may alter the default page for the web browser Internet Explorer.
Analysis by Iulian Mihai
