W32/Mofei-A

Discussion in 'malware problems & news' started by Technodrome, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Mofei-A is a worm which spreads via network shares and contains a backdoor Trojan which allows remote access and control over the computer.

    When first run W32/Mofei-A copies itself to the Windows System32 folder as Scardsvr32.exe and drops the file Scardsvr32.dll to the System32 folder. W32/Mofei-A may also drop the files MoFei.dat and MoFei.VER to the System32 folder.

    When W32/Mofei-A is run on Microsoft Windows 9x it creates the registry entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SCardDrv
    = %WINDOWS%\SYSTEM32\Scardsvr32.exe -v

    so that Scardsvr32.exe is run automatically each time Windows is started.

    When W32/Mofei-A is run on Microsoft Windows NT, 2000 or XP, it replaces the "Smart Card Helper" service and configures this service to run automatically upon startup.

    more: http://www.sophos.com



    Technodrome
     
    Technodrome, Jun 6, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...