McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

-- Update September 04, 2006 --

This threat has recently been seen in the wild being dropped by Microsoft Office documents that are using a 0-day exploit to compromise the victim host.

For more information on this exploit please see the following VIL description: W32/MoFei.worm.dr

 

Aliases

• Net-Worm.Win32.Mofeir.w (Kaspersky)

• W32.Femot.Worm (Symantec)

• WORM_MOFEI.A (Trend)

• WORM_MOFEI.AK (Trend)

Characteristics

This is a network share propagation worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. The worm scans ip addresses at port 135 and 139, tries to gain access to the share by trying weak administrator username and passwords. There are several variants of this worm. As such, the exact details of infection as noted below may vary from infection to infection.

The worm includes a dropper file. When the dropper is run on Windows 98/ME machines it creates the following file at c:\windows\system32 directory:

• NAVPW32.EXE (11,776 bytes)
• SCARDSVR32.EXE (copy of the dropper)

It creates the following registry key to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "NavAgent32" = "%WinDir%\system32\scardsvr32.exe -v"

On NT/2000 machines, the dropper modifies the "Smart Card Helper" service registry keys in order to install itself as a service. The service is automatic started at system startup. The following registry keys are present:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SCardDrv
  "ImagePath" = "C:\WINNT\system32\scardsvr32.exe -v"

The following files are created at C:\WINNT\system32 directory:

• SCARDSVR32.DLL
• SCARDSVR32.EXE (copy of the dropper file)

The worm can create several temp or log file in the same directory. The files includes:

• mofei.cfg
• MoFei.DAT (log file of the IP addresses that were scanned)
• MoFei.ID
• ...

On NT/2000, the SCARDSVR32.DLL file is injected into system LSASS.EXE and EXPLORER.EXE process space. The nature in which this is done necessitates booting to Safe Mode for removal. The worm tries to contact port 1080 or 8080 of several internet addressed, such as:

• images.daemon.sh
• google.ods.org
• rsthost.ods.org
• rsthost1.ods.org
• rsthost2.ods.org
• rsthost3.ods.org
• windowsupdate.bsd.st

The worm scans 192.168.x.x ip range plus a set of ip ranges carried in the worm body (varies per variant). It tries to connect on port 135 and 139. If any machine is found, it attempts to make connection to the ADMIN$ and IPC$ shares by trying a set of administrator passwords carried in the worm body (varies per variant). It may also gain access to the target system by "piggy backing" on the credentials of the currently authenticated user. It then copies itself to the remote machine via the ADMIN$ share.

Symptoms

Method of Infection

Removal

All Users:
Use specified engine and DAT files for detection.

Please Note: On NT/2000 machines, due to the nature in which the DLL component of this trojan is injected into the memory space of LSASS.EXE and EXPLORER.EXE, removal from an infected system is complex. The scan/clean should be performed in Safe Mode. The following steps should be taken:

• Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode, or on WinNT choose VGA mode)
• Run VirusScan and choose to clean all infected files
• Restart the computer

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

-- Update September 04, 2006 --

This threat has recently been seen in the wild being dropped by Microsoft Office documents that are using a 0-day exploit to compromise the victim host.

For more information on this exploit please see the following VIL description: W32/MoFei.worm.dr

 

Aliases

• Net-Worm.Win32.Mofeir.w (Kaspersky)

• W32.Femot.Worm (Symantec)

• WORM_MOFEI.A (Trend)

• WORM_MOFEI.AK (Trend)

Characteristics

Characteristics -

This is a network share propagation worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. The worm scans ip addresses at port 135 and 139, tries to gain access to the share by trying weak administrator username and passwords. There are several variants of this worm. As such, the exact details of infection as noted below may vary from infection to infection.

The worm includes a dropper file. When the dropper is run on Windows 98/ME machines it creates the following file at c:\windows\system32 directory:

• NAVPW32.EXE (11,776 bytes)
• SCARDSVR32.EXE (copy of the dropper)

It creates the following registry key to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  "NavAgent32" = "%WinDir%\system32\scardsvr32.exe -v"

On NT/2000 machines, the dropper modifies the "Smart Card Helper" service registry keys in order to install itself as a service. The service is automatic started at system startup. The following registry keys are present:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SCardDrv
  "ImagePath" = "C:\WINNT\system32\scardsvr32.exe -v"

The following files are created at C:\WINNT\system32 directory:

• SCARDSVR32.DLL
• SCARDSVR32.EXE (copy of the dropper file)

The worm can create several temp or log file in the same directory. The files includes:

• mofei.cfg
• MoFei.DAT (log file of the IP addresses that were scanned)
• MoFei.ID
• ...

On NT/2000, the SCARDSVR32.DLL file is injected into system LSASS.EXE and EXPLORER.EXE process space. The nature in which this is done necessitates booting to Safe Mode for removal. The worm tries to contact port 1080 or 8080 of several internet addressed, such as:

• images.daemon.sh
• google.ods.org
• rsthost.ods.org
• rsthost1.ods.org
• rsthost2.ods.org
• rsthost3.ods.org
• windowsupdate.bsd.st

The worm scans 192.168.x.x ip range plus a set of ip ranges carried in the worm body (varies per variant). It tries to connect on port 135 and 139. If any machine is found, it attempts to make connection to the ADMIN$ and IPC$ shares by trying a set of administrator passwords carried in the worm body (varies per variant). It may also gain access to the target system by "piggy backing" on the credentials of the currently authenticated user. It then copies itself to the remote machine via the ADMIN$ share.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Please Note: On NT/2000 machines, due to the nature in which the DLL component of this trojan is injected into the memory space of LSASS.EXE and EXPLORER.EXE, removal from an infected system is complex. The scan/clean should be performed in Safe Mode. The following steps should be taken:

• Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode, or on WinNT choose VGA mode)
• Run VirusScan and choose to clean all infected files
• Restart the computer

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A