A mystery is deepening around a report about the emergence of a virus that can pass from a PC to a mobile device, with some antivirus vendors saying they have not seen the code to confirm it.
The Mobile Antivirus Researchers Association (MARA) said Monday it anonymously received the code, named "Crossover." Microsoft, whose software the virus reportedly affects, said Wednesday it is investigating the reports but has not heard of any customer complaints.
Antivirus vendors said they will update their software to detect and remove the virus if they are allowed to analyze it. While vendors typically send virus samples to each other to update their products, MARA has not been forthcoming with a sample, said Graham Cluley, senior technology consultant for Sophos.
At the moment, the antivirus community only has MARA's word that the virus exists, Cluley said.
"We would still love to see a sample of this and determine if this is a potential threat to our customers," Cluley said. "It's a little bit disappointing that they are not sharing the sample."
However, three MARA members have run the code and verified it, and the group plans to file a full report on the virus within a week, wrote Cyrus Peikari in a response to an e-mail query. Peikari is a founding member of MARA and the chief executive officer of Airscanner, a mobile security software company.
The virus, MARA said, is the first one engineered to infect a Microsoft Windows desktop computer and then pass to a mobile device running the Windows CE or Mobile software, subsequently erasing files.
So far, the code remains proof-of-concept, a tag given to viruses that are created to illustrate how a vulnerability can be exploited but which are not generally released on the Internet.
But once the code is publicly released, malicious hackers may alter it. The aim is for the virus to spread rapidly before antivirus software is updated to detect and remove the malware.
The Crossover virus copies itself in the registry of a desktop computer. It waits for a mobile device to synchronize its data with a desktop machine using Microsoft's ActiveSync program, according to MARA's posting. The virus then erases files in the My Documents directory on the device.
Mikko Hypponen, chief research officer at F-Secure, said the security company can update its software to detect the virus within a couple of hours of having a sample. But the company has not seen the virus, he said.
Sophos contacted MARA by e-mail to request the virus. MARA responded with an e-mail attaching legal conditions to the release of the sample, but Sophos did not want to sign an agreement, Cluley said. Sophos has had concerns in the past over white papers containing virus source code that were published by MARA members, he said. Further, it is customary for antivirus vendors to securely send each other malware samples within a few hours, Cluley said.
MARA said that the virus would be available to antivirus companies and security experts "who qualify for MARA membership, which is free." Several have applied, Peikari wrote, but "a small number have arrogantly said, 'We're the experts, not you, so hand it over right now.'"
"Some of them have even tried to bully individual members into bypassing the proper protocol," Peikari wrote. "That is unfortunate, since it would be illegal to distribute malware without a signed agreement in place."
MARA can be flexible on its membership agreements, and companies could propose their own terms, Peikari wrote.
MARA, formed in 2005, describes itself as a "vendor-neutral group" dedicated to prevent the spread of malicious code. According to its code of conduct, MARA members are not supposed to exchange viruses except for research and not engage in computer crime, among several other rules.
MARA would provide Microsoft a copy of the virus if the company requests it, Peikari wrote.
If verified, the virus could mark the start of a new dangers for mobile devices, whose increasingly complex operating systems can be vulnerable to malware.
