Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:66.390 Bytes
MD5 checksum:fc70ac8da59822ed456a27e396d6a610
VDF version:

 General Method of propagation:
   • Local network

   •  Symantec: W32.Femot.O
   •  Mcafee: W32/Mofei.worm
   •  Kaspersky: Net-worm.Win32.Mofeir.o
   •  TrendMicro: WORM_MOFEI.J
   •  VirusBuster: Worm.Mofeir.C
   •  Bitdefender: Win32.Worm.Mofeir.O

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ups32.exe

It deletes the initially executed copy of itself.

The following files are created:


 Registry The following registry keys are added in order to load the services after reboot:

   • "Description"="Manages an uninterruptible power supply (UPS) connected to the computer."
   • "DisplayName"="Uninterruptible Power Supply"
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\UPS32.exe -v"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:00000002
   • "Type"=dword:00000010

   • "0"="Root\\LEGACY_UPS\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

The following registry keys are added:

   • "NextInstance"=dword:00000001

   • "Service"="UPS"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Uninterruptible Power Supply"

   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="UPS"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • ADMIN$

It makes use of the following Exploit:
 MS02-018 (Patch for Internet Information Service)

 Backdoor The following port is opened:

lsass.exe on a random TCP port in order to provide backdoor capabilities.

Contact server:
The following:
   • 128.207.**********

As a result remote control capability is provided.

Remote control capabilities:
     Disable network shares
     Download file
     Enable network shares
     Execute file
     Kill process
     Open remote shell
     Terminate process

 Injection – It injects a backdoor routine into a process.

    Process name:
   • lsass.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • **********

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Catalin Jora on Sunday, July 31, 2005
Description updated by Catalin Jora on Monday, September 5, 2005

Back . . . .