Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:13/12/2012
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:66.390 Bytes
MD5 checksum:fc70ac8da59822ed456a27e396d6a610
VDF version:

 General Method of propagation:
   • Local network

   •  Symantec: W32.Femot.O
   •  Mcafee: W32/Mofei.worm
   •  Kaspersky: Net-worm.Win32.Mofeir.o
   •  TrendMicro: WORM_MOFEI.J
   •  VirusBuster: Worm.Mofeir.C
   •  Bitdefender: Win32.Worm.Mofeir.O

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification
   • Makes use of software vulnerability
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ups32.exe

It deletes the initially executed copy of itself.

The following files are created:


 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\UPS]
   • "Description"="Manages an uninterruptible power supply (UPS) connected to the computer."
   • "DisplayName"="Uninterruptible Power Supply"
   • "ErrorControl"=dword:00000001
   • "ImagePath"="%SYSDIR%\UPS32.exe -v"
   • "ObjectName"="LocalSystem"
   • "Start"=dword:00000002
   • "Type"=dword:00000010

– [HKLM\SYSTEM\CurrentControlSet\Services\UPS\Enum]
   • "0"="Root\\LEGACY_UPS\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPS]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPS\0000]
   • "Service"="UPS"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="Uninterruptible Power Supply"

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPS\0000\Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="UPS"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • ADMIN$

It makes use of the following Exploit:
– MS02-018 (Patch for Internet Information Service)

 Backdoor The following port is opened:

– lsass.exe on a random TCP port in order to provide backdoor capabilities.

Contact server:
The following:
   • 128.207.**********

As a result remote control capability is provided.

Remote control capabilities:
    • Disable network shares
    • Download file
    • Enable network shares
    • Execute file
    • Kill process
    • Open remote shell
    • Terminate process

 Injection – It injects a backdoor routine into a process.

    Process name:
   • lsass.exe

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • **********

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Catalin Jora on Sunday, July 31, 2005
Description updated by Catalin Jora on Monday, September 5, 2005

Back . . . .