Mofei

Classification

Malware

-

-

Mofei, W32/MoFei.worm, Backdoor.Mofeir.101, Mofeir, Worm.Win32.Mofeir

Summary

Mofei is a network worm with backdoor capabilities. It was discovered in the beginning of June 2003. We have received a few reports about this worm from the field.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

The worm is usually dropped to a system by SCARDSVR32.EXE file. This file is a dropper that creates the following files in Windows System fodler:

 mofei.cfg
navpw32.exe
scardsvr32.dll

 

The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.

Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:

 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NavAgent32" = "[path_to_the_dropper] -v"
 

On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.

The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.

The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:

 - show help message
- show version
- exit this program
- change password
- change port
- get windows command shell
- run a command
- get current directionary
- change directionary
- list files
- delete a file
- make new directionary
- remove a directionary
- exec a DOS command
- Download Internet file
- bind a port
- close bind

 

The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.

To disinfect a system it's enough to delete all worm's files from a hard disk.

Date Created: -

Date Last Modified: -