By Fernando de la Cuadra, Panda Software
Wednesday, 28 July 2004 07:11 EST

The Duts virus has surprised us, as it infects a new system, the Windows version for "Pocket PC". This virus should perhaps cause great alarm; it is a conceptual test that should make all users take steps to avoid infection. Basically, this conceptual test (I refuse to call it a virus) has a series of features that bring to mind the first computer viruses, giving it a certain primitive air that makes it almost endearing.

The first file viruses (not including the boot viruses, which function in a totally different way and have very specific characteristics) used a very simple infection system. They were based on a modification of the internal structure of the file and the addition of an executable code to the infected file. Each executable file contains data at the beginning of the file that informs the system of the conditions to be established for the correct execution of the code. This area is called the "Header".

The header data includes the amount of memory that must be reserved for code execution, certain values that must be foreseen in the operation, etc. Among these values, there is one which is essential: the exact place in the file where the executable code begins. If a virus changes this value and puts it where the virus code is located, when the system wants to execute the file it will be directed to the virus, which will execute its malicious actions and then proceed to execute the original file.

This is exactly how this virus works, and it is truly primitive. It is as if we had suddenly found a new animal species with the genetic code of the Tyrannosaurus Rex - biologists would be utterly amazed. On the one hand, it is new, but on the other, we have a well-known species that was believed to be extinct.

This virus has returned to the tradition of a group of virus creators who believe that their malicious codes never imply harmful actions. In effect, this virus does not erase or damage anything, it simply propagates in the Pocket PC. But, according to their point of view, having a virus is not actually a problem, but rather something "fun". It is unquestionable that undesired codes in a computer are never acceptable, just from the perspective of user privacy and the belief that only data accepted and desired by the owner of the system should be entered in it.

Fortunately, this virus does not appear to create massive infection, far from it. Firstly, it is a simple conceptual test and has not been spread "in the wild". Secondly, because of the way it infects. Duts can only enter a Pocket PC through connection to a desktop and must use a synchronisation system like ActiveSync o TrueSync. And all of these elements always operate under the supervision of "classic" antivirus software in the desktop.

Moreover, we cannot forget that the basic working system in Pocket PC's is very similar to Microsoft Outlook. As soon as the Pocket PC is connected to a desktop unit, Outlook enters into action even though the interface is hidden from the user. That is, there is a process that accesses the information in Outlook, and the antivirus software suitably designed to protect Outlook creates an unbreachable barrier for the virus. As soon as a process attempts to access an e-mail, task, or contact, the antivirus software automatically begins its vigilance.

Therefore, the appearance of Duts does not herald the beginning of a new era as did Cabir, SQLSlammer, MSBlast and Bubbleboy. It is simply an experiment for which current prevention systems are already prepared.