Threat Encyclopedia



  • Virus is 32bit with a compressed size of 45,486 bytes – virus also carries a .DLL component with a size of 20,992 bytes
  • Virus has a dependency on PSAPI.DLL which may not exist on Windows 98 systems
  • Virus uses imports from MPR.DLL to add network connections after first enumerating available machines on the network – virus attempts to connect to any machine found and infect it by copying itself to that system
  • If virus is run on a target system, it may copy itself to the Windows\System32 folder as “SCARDSVR32.EXE” along with “SCARDSVR32.DLL” and also modify the registry to load at Windows startup –
    ”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
  • The .DLL component contains instructions which allows the .EXE file to run as a remote access Trojan – it supports the use from client access instructions such as the following –
    ver: show version.
    exit: exit this program.
    passwd: change password.
    passwd [newpassword] [re-newpassword]
    port: change port.
    port [newport] [re-newport]
    cmd: get windows command shell.
    pwd: get current directionary.
    cd: change directionary.
    cd [directionary]
    dir: list files.
    dir [directionary]
    del: delete a file.
    del [filename]
    mkdir: make new directionary.
    mkdir [new_dir]
    rmdir: remove a directionary.
    rmdir [directionary]
    exec: exec a DOS command.
    exec [DOS_command]
  • Virus attempts to scan ranges of IP addresses and connect to them using a dictionary list of logon names in an effort to propagate further –
    Beginning IP Ending IP
  • Virus attempts to copy itself to the $ADMIN\System32 folder if it can successfully connect to any of the target IP addresses
  • Virus contains the string “MoFei.VER MoFei.VER”