Mofei is a network worm with backdoor capabilities. It was discovered in the beginning of June 2003. We have received a few reports about this worm from the field.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm is usually dropped to a system by SCARDSVR32.EXE file. This file is a dropper that creates the following files in Windows System fodler:
mofei.cfg navpw32.exe scardsvr32.dll
The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.
Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NavAgent32" = "[path_to_the_dropper] -v"
On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.
The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.
The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:
- show help message - show version - exit this program - change password - change port - get windows command shell - run a command - get current directionary - change directionary - list files - delete a file - make new directionary - remove a directionary - exec a DOS command - Download Internet file - bind a port - close bind
The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.
To disinfect a system it's enough to delete all worm's files from a hard disk.