Mofei

Classification

Malware

-

-

Mofei, W32/MoFei.worm, Backdoor.Mofeir.101, Mofeir, Worm.Win32.Mofeir

Summary

Mofei is a network worm with backdoor capabilities. It was discovered in the beginning of June 2003. We have received a few reports about this worm from the field.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm is usually dropped to a system by SCARDSVR32.EXE file. This file is a dropper that creates the following files in Windows System fodler:

 mofei.cfg
navpw32.exe
scardsvr32.dll

 

The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.

Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NavAgent32" = "[path_to_the_dropper] -v"
 

On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.

The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.

The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:

 - show help message
- show version
- exit this program
- change password
- change port
- get windows command shell
- run a command
- get current directionary
- change directionary
- list files
- delete a file
- make new directionary
- remove a directionary
- exec a DOS command
- Download Internet file
- bind a port
- close bind

 

The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.

To disinfect a system it's enough to delete all worm's files from a hard disk.