F-Secure Virus Descriptions : Mofei

 mofei.cfg
 navpw32.exe
 scardsvr32.dll

The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.

Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "NavAgent32" = "<path_to_the_dropper> -v"

On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.

The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.

The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:

 - show help message
 - show version
 - exit this program
 - change password
 - change port
 - get windows command shell
 - run a command
 - get current directionary
 - change directionary
 - list files
 - delete a file
 - make new directionary
 - remove a directionary
 - exec a DOS command
 - Download Internet file
 - bind a port
 - close bind

The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.

To disinfect a system it's enough to delete all worm's files from a hard disk.

[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 9th, 2003]