Virus

W32/Mofei.D

Analysis

  • Virus is 32bit with a compressed size of 42,496 bytes – virus also carries a .DLL component with a size of 45,056 bytes
  • Virus has a dependency on PSAPI.DLL which may not exist on Windows 98 systems
  • Virus uses imports from MPR.DLL to add network connections after first enumerating available machines on the network – virus attempts to connect to any machine found and infect it by copying itself to that system
  • If virus is run on a target system, it may copy itself to the Windows\System32 folder as “LASVR32.EXE” along with “LASVR32.DLL”
  • Virus will modify the registry to load at Windows startup by modifying an existing registry key and creating a new key –
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScardDrv\
    "ImagePath" = (WINNT\System32)\lasvr32.exe –v
    "Start" = 02, 00, 00, 00

    * “ImagePath” value was “undefinedSystemRootundefined\System32\SCardSvr.exe”

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    ”NavAgent32” = (WINNT\System32)\lasvr32.EXE -v

  • The .DLL component contains instructions which allows the .EXE file to run as a remote access Trojan – it supports the use from client access instructions such as the following –
    ver: show version.
    exit: exit this program.
    passwd: change password.
    passwd [newpassword] [re-newpassword]
    port: change port.
    port [newport] [re-newport]
    cmd: get windows command shell.
    pwd: get current directionary.
    cd: change directionary.
    cd [directionary]
    dir: list files.
    dir [directionary]
    del: delete a file.
    del [filename]
    mkdir: make new directionary.
    mkdir [new_dir]
    rmdir: remove a directionary.
    rmdir [directionary]
    exec: exec a DOS command.
    exec [DOS_command]

  • Virus attempts to enumerate users or connections by implementing capabilities of SMB protocol and the instruction “SamrEnumerateUsersInDomain” – virus may attempt to connect with available systems using weak logon credentials, then copy itself to the System32 folder and initiate the virus remotely
    ? Virus contains the following strings in its code –

  • ScardDrv Smart Card Helper Enables support for legacy non-plug and play
    smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start. ?

    MoFei Version 1.0.1.0