W32/Mofei.A
Analysis
- Virus is 32bit with a compressed size of 45,486
bytes – virus also carries a .DLL component
with a size of 20,992 bytes
- Virus has a dependency on PSAPI.DLL which may not
exist on Windows 98 systems
- Virus uses imports from MPR.DLL to add network
connections after first enumerating available machines
on the network – virus attempts to connect to
any machine found and infect it by copying itself
to that system
- If virus is run on a target system, it may copy
itself to the Windows\System32 folder as “SCARDSVR32.EXE”
along with “SCARDSVR32.DLL” and also modify
the registry to load at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
- The .DLL component contains instructions which
allows the .EXE file to run as a remote access Trojan
– it supports the use from client access instructions
such as the following –
ver: show version.
exit: exit this program.
passwd: change password.
passwd [newpassword] [re-newpassword]
port: change port.
port [newport] [re-newport]
cmd: get windows command shell.
pwd: get current directionary.
cd: change directionary.
cd [directionary]
dir: list files.
dir [directionary]
del: delete a file.
del [filename]
mkdir: make new directionary.
mkdir [new_dir]
rmdir: remove a directionary.
rmdir [directionary]
exec: exec a DOS command.
exec [DOS_command]
- Virus attempts to scan ranges of IP addresses and
connect to them using a dictionary list of logon names
in an effort to propagate further –
Beginning IP Ending IP
12.10.192.0 12.10.199.255
164.0.0.1 164.255.255.255
164.100.0.0 164.100.255.255
194.117.0.0 194.117.255.255
194.154.0.0 194.154.255.255
194.65.0.0 194.65.255.255
195.112.0.0 195.112.255.255
195.224.0.0 195.224.255.255
196.12.0.0 196.12.255.255
196.3.0.0 196.3.255.255
199.244.0.0 199.244.255.255
202.131.0.0 202.131.255.255
202.134.0.0 202.134.255.255
202.136.0.0 202.136.255.255
202.138.0.0 202.138.255.255
202.140.0.0 202.140.255.255
202.141.0.0 202.141.255.255
202.142.0.0 202.142.255.255
202.144.0.0 202.144.255.255
202.173.0.0 202.173.255.255
202.177.0.0 202.177.255.255
202.179.0.0 202.179.255.255
202.184.0.0 202.184.255.255
202.2.0.0 202.2.255.255
202.21.0.0 202.21.255.255
202.4.0.0 202.4.255.255
202.41.0.0 202.41.255.255
202.43.0.0 202.43.255.255
202.52.0.0 202.52.255.255
202.54.0.0 202.54.255.255
202.55.0.0 202.55.255.255
202.56.0.0 202.56.255.255
202.60.0.0 202.60.255.255
202.62.0.0 202.62.255.255
202.65.0.0 202.65.255.255
202.68.0.0 202.68.255.255
202.70.0.0 202.70.255.255
202.81.0.0 202.81.255.255
202.86.0.0 202.86.255.255
202.89.0.0 202.89.255.255
202.90.0.0 202.90.255.255
202.91.0.0 202.91.255.255
203.112.0.0 203.112.255.255
203.122.0.0 203.112.255.255
203.124.0.0 203.124.255.255
203.129.0.0 203.129.255.255
203.132.0.0 203.132.255.255
203.145.0.0 203.145.255.255
203.152.0.0 203.152.255.255
203.163.0.0 203.163.255.255
203.168.0.0 203.168.255.255
203.188.0.0 203.188.255.255
203.190.0.0 203.190.255.255
203.192.0.0 203.192.255.255
203.195.0.0 203.195.255.255
203.197.0.0 203.197.255.255
203.200.0.1 203.200.255.255
203.86.0.0 203.86.255.255
203.90.0.0 203.90.255.255
203.94.0.0 203.94.255.255
206.252.0.0 206.252.255.255
207.113.0.0 207.113.255.255
207.235.0.0 207.235.255.255
207.44.0.0 207.44.255.255
209.61.0.0 207.44.255.255
209.66.0.0 209.66.255.255
210.190.0.0 210.190.255.255
210.210.0.0 210.210.255.255
210.212.0.0 210.212.255.255
210.214.0.0 210.214.255.255
210.4.0.0 210.4.255.255
212.162.0.0 212.162.255.255
212.63.0.0 212.63.255.255
216.217.0.0 216.217.255.255
216.6.0.0 216.6.255.255
217.6.0.0 217.6.255.255
63.68.0.0 63.68.255.255
- Virus attempts to copy itself to the $ADMIN\System32
folder if it can successfully connect to any of the
target IP addresses
- Virus contains the string “MoFei.VER 1.0.0.0
MoFei.VER”