Threat Description

Mofei

Details

Aliases:Mofei, W32/MoFei.worm, Backdoor.Mofeir.101, Mofeir, Worm.Win32.Mofeir
Category: Malware
Type:
Platform: W32

Summary



Mofei is a network worm with backdoor capabilities. It was discovered in the beginning of June 2003. We have received a few reports about this worm from the field.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is usually dropped to a system by SCARDSVR32.EXE file. This file is a dropper that creates the following files in Windows System fodler:

 mofei.cfg
 navpw32.exe
 scardsvr32.dll
 
 

The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.

Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "NavAgent32" = "<path_to_the_dropper> -v"

On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.

The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.

The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:

 - show help message
 - show version
 - exit this program
 - change password
 - change port
 - get windows command shell
 - run a command
 - get current directionary
 - change directionary
 - list files
 - delete a file
 - make new directionary
 - remove a directionary
 - exec a DOS command
 - Download Internet file
 - bind a port
 - close bind
 
 

The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.

To disinfect a system it's enough to delete all worm's files from a hard disk.





Description Created: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 9th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More