Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 7: Network worms

Mofei

ALIAS: W32/MoFei.worm, Backdoor.Mofeir.101, Mofeir, Worm.Win32.Mofeir

Mofei is a network worm with backdoor capabilities. It was discovered in the beginning of June 2003. We have received a few reports about this worm from the field.

The worm is usually dropped to a system by SCARDSVR32.EXE file. This file is a dropper that creates the following files in Windows System fodler:

 mofei.cfg
 mofei.dat --- log file for the worm
 scardsvr32.dll

The NAVPW32.EXE file is dropped only on Windows 9x. After installation the dropper deletes itself from a hard drive.

Then the dropper copies itself with SCARDSVR32.EXE name to Windows System folder and creates a startup key for its file in System Registry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NavAgent32" = "<path_to_the_dropper> -v"

On NT-based computers the worm attempts to start this file as a service named SCardDrv. This way the worm's file is always active when Windows starts.

The worm spreads to computers with Windows NT-based operating systems via local network. It scans for computers with open ports 135 and 139 and if such computer is found, the worm tries to connect to IPC$ share of that computer. Mofei worm tries a few fixed passwords to get access to the IPC$ share and if it succeeds, it copies the dropper to Windows System folder on a remote computer with SCARDSVR32.EXE name and creates a service for it in System Registry.

The worm has backdoor functionalities. It contains 2 backdoor files, one for Windows 9x operating systems and the other for NT-based operating systems. A remote hacker can log into the backdoor and perform the following actions:

 - show help message
 - show version
 - exit this program
 - change password
 - change port
 - get windows command shell
 - run a command
 - get current directionary
 - change directionary
 - list files
 - delete a file
 - make new directionary
 - remove a directionary
 - exec a DOS command
 - Download Internet file
 - bind a port
 - close bind

The port that the backdoor listens to is configurable. Additionally the backdoor provides information about an infected computer to a hacker.

To disinfect a system it's enough to delete all worm's files from a hard disk.

[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 9th, 2003]  

 

This is a network share propagation worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. The worm scans ip addresses at port 135 and 139, tries to gain access to the share by trying weak administrator username and passwords. There are several variants of this worm. As such, the exact details of infection as noted below may vary from infection to infection.

The worm includes a dropper file. When the dropper is run on Windows 98/ME machines it creates the following file at c:\windows\system32 directory:

 

It creates the following registry key to load itself at Windows startup:

On NT/2000 machines, the dropper modifies the "Smart Card Helper" service registry keys in order to install itself as a service. The service is automatic started at system startup. The following registry keys are present:

The following files are created at C:\WINNT\system32 directory:

The worm can create several temp or log file in the same directory. The files includes:

On NT/2000, the SCARDSVR32.DLL file is injected into system LSASS.EXE and EXPLORER.EXE process space. The nature in which this is done necessitates booting to Safe Mode for removal. The worm tries to contact port 1080 or 8080 of several internet addressed, such as:

The worm scans 192.168.x.x ip range plus a set of ip ranges carried in the worm body (varies per variant). It tries to connect on port 135 and 139. If any machine is found, it attempts to make connection to the ADMIN$ and IPC$ shares by trying a set of administrator passwords carried in the worm body (varies per variant). It may also gain access to the target system by "piggy backing" on the credentials of the currently authenticated user. It then copies itself to the remote machine via the ADMIN$ share.

All Users:
Use specified
engine and DAT files for detection.

Please Note: On NT/2000 machines, due to the nature in which the DLL component of this trojan is injected into the memory space of LSASS.EXE and EXPLORER.EXE, removal from an infected system is complex. The scan/clean should be performed in Safe Mode. The following steps should be taken:

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

Note: To download ClnMofei.com -  a utility that cleans a local machine affected by Win32.Mofei and its variants, please click here.

This utility may be especially useful for those who either do not use CA Antivirus solutions, or who may be using products based on older technology that does not support system cleaning. Please view the Removal Instructions for your CA Antivirus Solution (below) to ascertain whether you require the cleaning utility.

Warning: Before running ClnMofei.com, please ensure that you carefully review the readme.txt instruction file that accompanies this utility.  Depending on the stage of infection, system reboot may be required to remove the worm.

Win32.Mofei.A is a network worm that spreads through default ADMIN$ and IPC$ network shares.

The worm is UPX packed and 45,486 bytes in size. It copies itself as scardsvr32.exe and a DLL to %Windows%\System32 directory. The DLL, named scardsvr32.dll is also UPX packed and 20,992 bytes in size. The DLL contains the main replication routine, and is injected to system processes like LSASS.EXE and IEXPLORER.EXE to hide its presence.

The worms modifies the registry in order to execute at the next system reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SCardDrv = "%Windows%\system32\scardsvr32.exe"

On Windows 2000 systems, the worm replaces an existing service named "Smart Card Helper".  Note that the original system filename is "scardsvr.exe"

HKLM\SYSTEM\CurrentControlSet\Services\SCardDrv\ImagePath, with value "%Windows%\System32\scardsvr32.exe -v"

The worm scans the network for open 135 or 139 ports. Once found, the worm tries to establish a connection using the following user names:

admin
tcpang
yhchen
cthsieh
flora
hychen
rober
smchou
corden
cesil
shhung
wachen

If successful, the worm copies itself onto the share  as "System32\scardsvr32.exe".  A log file, MoFei.DAT, is kept under the %Windows%\System32 directory to record IP addresses scanned by the worm.  In addition to the following IP range, the worm also randomly selects IPs to scan:

local subnet (255.255.255.0)
164.100.0.0 - 164.100.255.255
164.0.0.1 - 164.255.255.255
203.200.0.1 - 203.200.255.255
12.10.192.0 - 12.10.199.255
194.117.0.0 - 194.117.255.255
194.154.0.0 - 194.154.255.255
194.65.0.0 - 194.65.255.255
195.112.0.0 - 195.112.255.255
195.224.0.0 - 195.224.255.255
196.12.0.0 - 196.12.255.255
196.3.0.0 - 196.3.255.255
199.244.0.0 - 199.244.255.255
202.131.0.0 - 202.131.255.255
202.134.0.0 - 202.134.255.255
202.136.0.0 - 202.136.255.255
202.138.0.0 - 202.138.255.255
202.140.0.0 - 202.140.255.255
202.141.0.0 - 202.141.255.255
202.142.0.0 - 202.142.255.255
202.144.0.0 - 202.144.255.255
202.173.0.0 - 202.173.255.255
202.177.0.0 - 202.177.255.255
202.179.0.0 - 202.179.255.255
202.184.0.0 - 202.184.255.255
202.2.0.0 - 202.2.255.255
202.21.0.0 - 202.21.255.255
202.4.0.0 - 202.4.255.255
202.41.0.0 - 202.41.255.255
202.43.0.0 - 202.43.255.255
202.52.0.0 - 202.52.255.255
202.54.0.0 - 202.54.255.255
202.55.0.0 - 202.55.255.255
202.56.0.0 - 202.56.255.255
202.60.0.0 - 202.60.255.255
202.62.0.0 - 202.62.255.255
202.65.0.0 - 202.65.255.255
202.68.0.0 - 202.68.255.255
202.70.0.0 - 202.70.255.255
202.81.0.0 - 202.81.255.255
202.86.0.0 - 202.86.255.255
202.89.0.0 - 202.89.255.255
202.90.0.0 - 202.90.255.255
202.91.0.0 - 202.91.255.255
203.112.0.0 - 203.112.255.255
203.122.0.0 - 203.112.255.255
203.124.0.0 - 203.124.255.255
203.129.0.0 - 203.129.255.255
203.132.0.0 - 203.132.255.255
203.145.0.0 - 203.145.255.255
203.152.0.0 - 203.152.255.255
203.163.0.0 - 203.163.255.255
203.168.0.0 - 203.168.255.255
203.188.0.0 - 203.188.255.255
203.190.0.0 - 203.190.255.255
203.192.0.0 - 203.192.255.255
203.195.0.0 - 203.195.255.255
203.197.0.0 - 203.197.255.255
203.86.0.0 - 203.86.255.255
203.90.0.0 - 203.90.255.255
203.94.0.0 - 203.94.255.255
206.252.0.0 - 206.252.255.255
207.113.0.0 - 207.113.255.255
207.235.0.0 - 207.235.255.255
207.44.0.0 - 207.44.255.255
209.61.0.0 - 207.44.255.255
209.66.0.0 - 209.66.255.255
210.190.0.0 - 210.190.255.255
210.210.0.0 - 210.210.255.255
210.212.0.0 - 210.212.255.255
210.214.0.0 - 210.214.255.255
210.4.0.0 - 210.4.255.255
212.162.0.0 - 212.162.255.255
212.63.0.0 - 212.63.255.255
216.217.0.0 - 216.217.255.255
216.6.0.0 - 216.6.255.255
217.6.0.0 - 217.6.255.255
63.68.0.0 - 63.68.255.255

The worm also acts as a backdoor server that allows remote control of an affected machine. Once installed, the worm connects to rsthost1.ods.org, port 8080, to announce its presence.  The backdoor has the following functions:

Analysis by Sha-Li Hsieh

The worm routine works only on Windows NT/2000/XP. The worm attempts to connect to other computers as either the current user or as Administrator.
It uses the following passwords:
  • stgzs
  • security
  • super
  • oracle
  • secret
  • root
  • admin
  • password
  • passwd
  • pass
  • 88888888
  • 888888
  • 00000000
  • 000000
  • 11111111
  • 111111
  • 111
  • fan@ing*
  • 54321
  • 654321
  • 12345678
  • 1234567
  • 123456
  • 12345
  • 1234
  • 123
  • 12



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 13, 2017