Threat Encyclopedia

W32/Mofei.A

description-logoAnalysis

  • Virus is 32bit with a compressed size of 45,486 bytes – virus also carries a .DLL component with a size of 20,992 bytes
  • Virus has a dependency on PSAPI.DLL which may not exist on Windows 98 systems
  • Virus uses imports from MPR.DLL to add network connections after first enumerating available machines on the network – virus attempts to connect to any machine found and infect it by copying itself to that system
  • If virus is run on a target system, it may copy itself to the Windows\System32 folder as “SCARDSVR32.EXE” along with “SCARDSVR32.DLL” and also modify the registry to load at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    ”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
  • The .DLL component contains instructions which allows the .EXE file to run as a remote access Trojan – it supports the use from client access instructions such as the following –
    ver: show version.
    exit: exit this program.
    passwd: change password.
    passwd [newpassword] [re-newpassword]
    port: change port.
    port [newport] [re-newport]
    cmd: get windows command shell.
    pwd: get current directionary.
    cd: change directionary.
    cd [directionary]
    dir: list files.
    dir [directionary]
    del: delete a file.
    del [filename]
    mkdir: make new directionary.
    mkdir [new_dir]
    rmdir: remove a directionary.
    rmdir [directionary]
    exec: exec a DOS command.
    exec [DOS_command]
  • Virus attempts to scan ranges of IP addresses and connect to them using a dictionary list of logon names in an effort to propagate further –
    Beginning IP Ending IP
    12.10.192.0 12.10.199.255
    164.0.0.1 164.255.255.255
    164.100.0.0 164.100.255.255
    194.117.0.0 194.117.255.255
    194.154.0.0 194.154.255.255
    194.65.0.0 194.65.255.255
    195.112.0.0 195.112.255.255
    195.224.0.0 195.224.255.255
    196.12.0.0 196.12.255.255
    196.3.0.0 196.3.255.255
    199.244.0.0 199.244.255.255
    202.131.0.0 202.131.255.255
    202.134.0.0 202.134.255.255
    202.136.0.0 202.136.255.255
    202.138.0.0 202.138.255.255
    202.140.0.0 202.140.255.255
    202.141.0.0 202.141.255.255
    202.142.0.0 202.142.255.255
    202.144.0.0 202.144.255.255
    202.173.0.0 202.173.255.255
    202.177.0.0 202.177.255.255
    202.179.0.0 202.179.255.255
    202.184.0.0 202.184.255.255
    202.2.0.0 202.2.255.255
    202.21.0.0 202.21.255.255
    202.4.0.0 202.4.255.255
    202.41.0.0 202.41.255.255
    202.43.0.0 202.43.255.255
    202.52.0.0 202.52.255.255
    202.54.0.0 202.54.255.255
    202.55.0.0 202.55.255.255
    202.56.0.0 202.56.255.255
    202.60.0.0 202.60.255.255
    202.62.0.0 202.62.255.255
    202.65.0.0 202.65.255.255
    202.68.0.0 202.68.255.255
    202.70.0.0 202.70.255.255
    202.81.0.0 202.81.255.255
    202.86.0.0 202.86.255.255
    202.89.0.0 202.89.255.255
    202.90.0.0 202.90.255.255
    202.91.0.0 202.91.255.255
    203.112.0.0 203.112.255.255
    203.122.0.0 203.112.255.255
    203.124.0.0 203.124.255.255
    203.129.0.0 203.129.255.255
    203.132.0.0 203.132.255.255
    203.145.0.0 203.145.255.255
    203.152.0.0 203.152.255.255
    203.163.0.0 203.163.255.255
    203.168.0.0 203.168.255.255
    203.188.0.0 203.188.255.255
    203.190.0.0 203.190.255.255
    203.192.0.0 203.192.255.255
    203.195.0.0 203.195.255.255
    203.197.0.0 203.197.255.255
    203.200.0.1 203.200.255.255
    203.86.0.0 203.86.255.255
    203.90.0.0 203.90.255.255
    203.94.0.0 203.94.255.255
    206.252.0.0 206.252.255.255
    207.113.0.0 207.113.255.255
    207.235.0.0 207.235.255.255
    207.44.0.0 207.44.255.255
    209.61.0.0 207.44.255.255
    209.66.0.0 209.66.255.255
    210.190.0.0 210.190.255.255
    210.210.0.0 210.210.255.255
    210.212.0.0 210.212.255.255
    210.214.0.0 210.214.255.255
    210.4.0.0 210.4.255.255
    212.162.0.0 212.162.255.255
    212.63.0.0 212.63.255.255
    216.217.0.0 216.217.255.255
    216.6.0.0 216.6.255.255
    217.6.0.0 217.6.255.255
    63.68.0.0 63.68.255.255
  • Virus attempts to copy itself to the $ADMIN\System32 folder if it can successfully connect to any of the target IP addresses
  • Virus contains the string “MoFei.VER 1.0.0.0 MoFei.VER”

Telemetry