W32/Mofei-A

Discussion in 'malware problems & news' started by Technodrome, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Mofei-A is a worm which spreads via network shares and contains a backdoor Trojan which allows remote access and control over the computer.

    When first run W32/Mofei-A copies itself to the Windows System32 folder as Scardsvr32.exe and drops the file Scardsvr32.dll to the System32 folder. W32/Mofei-A may also drop the files MoFei.dat and MoFei.VER to the System32 folder.

    When W32/Mofei-A is run on Microsoft Windows 9x it creates the registry entry

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SCardDrv
    = %WINDOWS%\SYSTEM32\Scardsvr32.exe -v

    so that Scardsvr32.exe is run automatically each time Windows is started.

    When W32/Mofei-A is run on Microsoft Windows NT, 2000 or XP, it replaces the "Smart Card Helper" service and configures this service to run automatically upon startup.

    more: http://www.sophos.com



    Technodrome
     
Thread Status:
Not open for further replies.