W32/MoFei.B!worm
Analysis
- Virus is 32bit with a compressed size of 42,949
bytes – virus also carries a .DLL component
with a size of 20,480 bytes
- Virus has a dependency on PSAPI.DLL which may not
exist on Windows 98 systems
- Virus uses imports from MPR.DLL to add network
connections after first enumerating available machines
on the network – virus attempts to connect to
any machine found and infect it by copying itself
to that system
- If virus is run on a target system, it may copy
itself to the Windows\System32 folder as “SCARDSVR32.EXE”
along with “SCARDSVR32.DLL” and also modify
the registry to load at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
- The .DLL component contains instructions which
allows the .EXE file to run as a remote access Trojan
– it supports the use from client access instructions
such as the following –
ver: show version.
exit: exit this program.
passwd: change password.
passwd [newpassword] [re-newpassword]
port: change port.
port [newport] [re-newport]
cmd: get windows command shell.
pwd: get current directionary.
cd: change directionary.
cd [directionary]
dir: list files.
dir [directionary]
del: delete a file.
del [filename]
mkdir: make new directionary.
mkdir [new_dir]
rmdir: remove a directionary.
rmdir [directionary]
exec: exec a DOS command.
exec [DOS_command]
- Virus attempts to locate the following specific
IP addresses and connect to them using a dictionary
list of logon names in an effort to propagate further
–
192.168.0.3
192.168.0.20
164.100.0.0
164.100.255.255
- These addresses typically reside within a multi-user
network and commonly behind a firewall and/or router
- Virus attempts to copy itself to the $ADMIN\System32
folder if it can successfully connect to any of the
target IP addresses
- Virus contains the string “MoFei.VER 1.0.0.0
MoFei.VER”
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |