“setupdll.dll” is a dynamic link library which is called by the Windows Mobile installation process. The malware author created this component to copy “sendservice.exe” from “\temp\” to “\windows\”. It then creates process to run WinCE/Sejweek.B at installation. “setupdll.dll” is not installed on the device.

“sendservice.exe” is Microsoft .NET executable. It requires the Microsoft .NET Compact Framework 2.0 or the later to be installed on the device.

WinCE/Sejweek.B creates the registry key HKLM\Init\Launch96 and adds its executable name as the value in order to run on boot.

WinCE/Sejweek.B checks the current time every 5 minutes. if current time is bigger than the time when last SMS was sent, and the hour of current time is greater than or equal to 11, it will connect to the URL http://[removed].com/[removed]/get.php to get its XML formatted configuration file. The file includes a phone number, message body and at which interval to send SMS messages.

The phone number and interval period are stored in an encoded format in the configuration file. After decoding the configuration values, WinCE/Sejweek.B creates the file “servicedata.dat” in the same directory as itself and stores the phone number, message text and interval period into this file.

If the server sends invalid data in “phone” elements(e.g. invalidly encoded data) . This can cause WinCE/Sejweek.B to terminate with an exception.