W32/Mofei-V is a worm which spreads via network shares and contains a backdoor Trojan which allows remote access and control over the computer.
W32/Mofei-V is a worm which spreads via network shares and contains a backdoor Trojan which allows remote access and control over the computer.
When first run W32/Mofei-V copies itself to <Temp>\Del1.tmp and creates the following files:
<System>\iprip32.asf - detected as W32/Mofei-V
<System>\iprip32.dat - may be deleted
<System>\ipripst.dll - detected as W32/Mofei-V
The file ipripst.dll is registered as a new service named "IPRIP". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP
W32/Mofei-V has the ability to inject itself into other processes as an attempt to hide itself.
W32/Mofei-V provides backdoor access and control over the computer by creating a port (backdoor) and then listening for instructions being sent from a remote client.
The remote intruder will be able to carry out a variety of actions, including getting a Windows command shell, getting a content listing for selected folders, deleting files and folders, executing files and downloading files from the internet.