F-Secure Virus Information Pages : Cxover.A [ Summary ] | [ Disinfection ] | [ Detection ] Name: Cxover.A Alias: Crossover virus Category: Virus Platform: MSIL Summary MSIL/Cxover.A is a prooof-of-concept virus written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both PCs using Windows OS with .NET runtime installed and Windows Mobile handheld devices supporting .NET. Cxover.A infects devices over Microsoft's ActiveSync protocol. If the Cxover.A binary is executed on a Windows Mobile device, it looks for the PC over the ActiveSync connection and copies itself to the PC so that it will start automatically at next boot. If Cxover.A is executed on a Windows PC it will search for any handled devices connected over ActiveSync and copy itself there. Disinfection Automatic Disinfection Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or an overwriting virus, a user can select the disinfection action by himself to make FSAV rename or delete an infected file. In some special cases it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites: http://www.f-secure.com/download-purchase/tools.shtml ftp://ftp.f-secure.com/anti-virus/tools/ F-Secure Anti-Virus can be purchased from our webshop or from our authorized distributors. A trial version of F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website: http://www.f-secure.com/download-purchase/ All the latest versions of FSAV can download anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites: http://www.f-secure.com/download-purchase/updates.shtml Manual Disinfection Manually disinfecting files and boot sectors is not recommended as it can cause damage to a system and make it unbootable. System Restore issue and file viruses If Windows ME or XP is used, it is recommended to disable the System Restore feature of these operating systems to prevent the computer from re-infection. The System Restore feature of these operating systems might save an infected file to a special folder and copy it back to the hard drive it every time it's been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore feature are here: Windows ME: http://www.europe.f-secure.com/v-descs/sfc_dis.shtml Windows XP: http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml Re-enabling System Restore is recommended after disinfection in order to restore stable system configuration in the future, if any crash or incompatibility issues occur. Back to the Top Detection F-Secure Anti-Virus detects this malware with the following updates: [FSAV_Database_Version] Version = 2006-03-15_02. Back to the Top Detection F-Secure Mobile Anti-Virus for Windows Mobile detects this malware starting from the update build number 16. Back to the Top Write-up: Jarno Niemelä Technical Details: Jarno Niemelä, March 15, 2006 Description Updated: Sean Sullivan, March 15, 2006 F-Secure Corporation