Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/MoFei.worm [McAfee], WORM_MOFEI.A [Trend], WORM_MOFEI.B [Trend], W32/Mofei-A [Sophos], Backdoor.Mofeir.101 [KAV], Worm.Win32.Mofeir.b [KAV], Win32.Mofei.A [CA], Win32.Mofei.B [CA], W32.Femot.Worm
Type:Worm 
Size:variable. 
Origin: 
Date:00-00-0000 
Damage:Backdoor component. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionThe worm tries to connect to other computers, as current user or as administrator and copies itself on other systems.

Technical DetailsWhen activated, Worm/Mofeir.B.2 copies itself as %WinDIR%\SystemDIR\Scardsvr32.exe
and creates the file
%WinDIR%\Systemdir\Mofei.cfg. This file works as a Backdoor component.

The worm makes the autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "NavAgent32"="%Windows%\System32\navpw32.exe -v"

It uses the following passwords:
stgzs
security
super
oracle
secret
root
admin
password
passwd
pass
88888888
888888
00000000
000000
11111111
111111
111
fan@ing*
54321
654321
12345678
1234567
123456
12345
1234
123
12

If the worm can connect to another computer, it searches for the following files:
%s\ADMIN$\%SystemDIR%\scardsvr32.exe
%s\ADMIN$\%SystemDIR%\MoFei.ver
If they are not on the system, the worm creates the files:
%s\ADMIN$\%SystemDIR%\scardsvr32.exe
%s\IPC$\%SystemDIR%\scardsvr32.exe

The Backdoor Component:
The worm is waiting for further instructions from its author, which may include the following actions:
- enters the Windows service program (CMD.exe or command.com)
- runs executable files
- deletes/ creates files and folders
- downloads Internet files.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .