- Virus is 32bit with a compressed size of 42,496
bytes – virus also carries a .DLL component
with a size of 45,056 bytes
- Virus has a dependency on PSAPI.DLL which may not
exist on Windows 98 systems
- Virus uses imports from MPR.DLL to add network
connections after first enumerating available machines
on the network – virus attempts to connect to
any machine found and infect it by copying itself
to that system
- If virus is run on a target system, it may copy
itself to the Windows\System32 folder as “LASVR32.EXE”
along with “LASVR32.DLL”
- Virus will modify the registry to load at Windows
startup by modifying an existing registry key and
creating a new key –
"ImagePath" = (WINNT\System32)\lasvr32.exe –v
"Start" = 02, 00, 00, 00
* “ImagePath” value was “undefinedSystemRootundefined\System32\SCardSvr.exe”
”NavAgent32” = (WINNT\System32)\lasvr32.EXE -v
The .DLL component contains instructions which allows the .EXE file to run as a remote access Trojan – it supports the use from client access instructions such as the following –
ver: show version.
exit: exit this program.
passwd: change password.
passwd [newpassword] [re-newpassword]
port: change port.
port [newport] [re-newport]
cmd: get windows command shell.
pwd: get current directionary.
cd: change directionary.
dir: list files.
del: delete a file.
mkdir: make new directionary.
rmdir: remove a directionary.
exec: exec a DOS command.
Virus attempts to enumerate users or connections by implementing capabilities of SMB protocol and the instruction “SamrEnumerateUsersInDomain” – virus may attempt to connect with available systems using weak logon credentials, then copy itself to the System32 folder and initiate the virus remotely
? Virus contains the following strings in its code –
ScardDrv Smart Card Helper Enables support for legacy non-plug and play
smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start. ?
MoFei Version 126.96.36.199