The worm is usually dropped to a system by SCARDSVR32.EXE file.
This file is a dropper that creates the following files in
Windows System fodler:
The NAVPW32.EXE file is dropped only on Windows 9x. After
installation the dropper deletes itself from a hard drive.
Then the dropper copies itself with SCARDSVR32.EXE name to
Windows System folder and creates a startup key for its file in
"NavAgent32" = "<path_to_the_dropper> -v"
On NT-based computers the worm attempts to start this file as a
service named SCardDrv. This way the worm's file is always active
when Windows starts.
The worm spreads to computers with Windows NT-based operating
systems via local network. It scans for computers with open ports
135 and 139 and if such computer is found, the worm tries to
connect to IPC$ share of that computer. Mofei worm tries a few
fixed passwords to get access to the IPC$ share and if it
succeeds, it copies the dropper to Windows System folder on a
remote computer with SCARDSVR32.EXE name and creates a service
for it in System Registry.
The worm has backdoor functionalities. It contains 2 backdoor
files, one for Windows 9x operating systems and the other for
NT-based operating systems. A remote hacker can log into the
backdoor and perform the following actions:
- show help message
- show version
- exit this program
- change password
- change port
- get windows command shell
- run a command
- get current directionary
- change directionary
- list files
- delete a file
- make new directionary
- remove a directionary
- exec a DOS command
- Download Internet file
- bind a port
- close bind
The port that the backdoor listens to is configurable.
Additionally the backdoor provides information about an infected
computer to a hacker.
To disinfect a system it's enough to delete all worm's files from
a hard disk.
[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 9th, 2003]