Launch Codes

Particular launch codes sent by Palm OS are received by all applications on the Palm device. This becomes a prime candidate for incubation or virus execution, since code segments defined in handling routines are executed without the user's knowledge or intervention. Full details of the launch codes can be found in [22]. A casual perusal of the documentation for launch codes uncovers several obvious events that will likely be used for incubation of malicious code. Our speculations on these are listed in Table 2.

Launch codes are handled in switch-style constructs within the PilotMain function. An application checks each code that it receives to determine if a handler exists. If one does exist, execution is handed off to the appropriate functions. The launch code of sysAppLaunchCmdNormalLaunch, sent when an application is normally executed, would most often vector to legitimate code. This provides an appearance of normalcy while malicious payloads remain dormant until their specific launch code is seen.

Table 2: Selected application launch codes and theorized incubation methods

Launch Code	Potential Incubation Method
sysAppLaunchCmdSystemReset	This launch code signifies that a system reset has just occurred.
	No user input is allowed during this launch code. As Palm OS
	devices are not reset at regular intervals, this provides a random
	timing for the launch of malicious code.
sysAppLaunchCmdSyncNotify	When a HotSync operation has been completed or an application
	has been successfully beamed and received by the device, this
	launch code is sent to application. This could signify that the
	malicious code has successfully propagated to the target device
	and can perform its payload hiding or destructive actions.
sysAppLaunchCmdAlarmTriggered	A most probable launch code for malicious use. Malicious code
	could set an alarm for a future time. Upon receipt of the alarm,
	the desired code would be executed.