W32/Mofei-E is a network worm with a backdoor component.
W32/Mofei-E will attempt to spread to network shares protected by weak passwords.
W32/Mofei-E will attempt to hide itself from the user by injecting itself into a number of Windows processes. W32/Mofei-E will install itself as a service and modify the Alerter service path
W32/Mofei-E is a network worm with a backdoor component.
W32/Mofei-E will attempt to spread to network shares protected by weak passwords.
W32/Mofei-E will attempt to hide itself from the user by injecting itself into a number of Windows processes. W32/Mofei-E will install itself as a service and modify the Alerter service path.
When first run, W32/Mofei-E copies itself to the Windows system folder as ALERTER.EXE. The worm will drop two files named SPC.EXE and SPTRES.DLL, both detected as W32/Mofei-E. The worm will run SPC.EXE and inject SPTRES.DLL into the EXPLORER.EXE process in order to stealth itself from the user.
SPTRES.DLL will attempt to spread the main worm EXE to ADMIN$ and IPC$ shares protected by weak passwords.
When run, SPC.EXE will drop the following files into the Windows system folder:
SCARDSER.EXE
COMSOCK.DLL - later renamed to COMWSOCK.DLL
SOCKUP.DLL - later renamed to DMSOCK.DLL
All of these files are detected as W32/Mofei-E.
SCARDSER.EXE is run as a service and injects COMWSOCK.DLL into the LSASS.EXE process in order to stealth itself from the user. COMWSOCK.DLL will then attempt to inject DMSOCK.DLL into one of the following processes:
EXPLORER.EXE
IEXPLORE.EXE
INETINFO.EXE
LSASS.EXE
MSIMN.EXE
MSMSGS.EXE
MSNMSGR.EXE
OUTLOOK.EXE
QQ.EXE
SVCHOST.EXE
DMSOCK.DLL is the main backdoor component of the worm. This component will also attempt to download and run further files.
W32/Mofei-E will also create the files INETCFG.H and MST.TLB in the Windows system folder. These are both data files used by the worm and can be deleted.
W32/Mofei-E will modify the path for the Alerter service to point to itself. The following registry entry will be changed:
HKLM\SYSTEM\ControlSet<number>\Services\Alerter\
ImagePath
<Windows folder>\System32\Alerter.exe
Consequently, the following registry entry will also be changed:
HKLM\SYSTEM\CurrentControlSet\Services\Alerter\
ImagePath
<Windows folder>\System32\Alerter.exe
W32/Mofei-E will register itself as a service process with name "netlog" and display name "Net Login Helper" This ensures that the SCARDSER.EXE service is automatically run.