W32/MoFei.B!worm

Analysis

• Virus is 32bit with a compressed size of 42,949 bytes – virus also carries a .DLL component with a size of 20,480 bytes
  
• Virus has a dependency on PSAPI.DLL which may not exist on Windows 98 systems
  
• Virus uses imports from MPR.DLL to add network connections after first enumerating available machines on the network – virus attempts to connect to any machine found and infect it by copying itself to that system
  
• If virus is run on a target system, it may copy itself to the Windows\System32 folder as “SCARDSVR32.EXE” along with “SCARDSVR32.DLL” and also modify the registry to load at Windows startup –
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
  ”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
  
• The .DLL component contains instructions which allows the .EXE file to run as a remote access Trojan – it supports the use from client access instructions such as the following –
  ver: show version.
  exit: exit this program.
  passwd: change password.
  passwd [newpassword] [re-newpassword]
  port: change port.
  port [newport] [re-newport]
  cmd: get windows command shell.
  pwd: get current directionary.
  cd: change directionary.
  cd [directionary]
  dir: list files.
  dir [directionary]
  del: delete a file.
  del [filename]
  mkdir: make new directionary.
  mkdir [new_dir]
  rmdir: remove a directionary.
  rmdir [directionary]
  exec: exec a DOS command.
  exec [DOS_command]
  
• Virus attempts to locate the following specific IP addresses and connect to them using a dictionary list of logon names in an effort to propagate further –
  192.168.0.3
  192.168.0.20
  164.100.0.0
  164.100.255.255
  
• These addresses typically reside within a multi-user network and commonly behind a firewall and/or router
  
• Virus attempts to copy itself to the $ADMIN\System32 folder if it can successfully connect to any of the target IP addresses
  
• Virus contains the string “MoFei.VER 1.0.0.0 MoFei.VER”