W32/Mofei-T

Please follow the instructions for removing worms.

W32/Mofei-T is a network worm with backdoor functionality for the Windows platform.

W32/Mofei-T may attempt to spread via network shares protected by weak passwords. W32/Mofei-T is a network worm with backdoor functionality for the Windows platform.

W32/Mofei-T may attempt to spread via network shares protected by weak passwords.

When first run W32/Mofei-T copies itself to <System>\netlog32.exe and creates the following files:

<System>\netlog32.dat
<System>\netlog32.dll

where netlog32.dat is a configuration data file and netlog32.dll is a file that provides backdoor functionality.

The file netlog32.exe is registered as a new system driver service named "netlog", with a display name of "Network Performance Alerts" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\netlog\

W32/Mofei-T provides backdoor access and control over the computer by creating a port (backdoor) and then listening for instructions being sent from a remote client.

The remote intruder will be able to carry out a variety of actions, including getting a Windows command shell, getting a content listing for selected folders, deleting files and folders, executing files and downloading files from the internet.

Sophos's anti-virus products include Behavioral Genotype™ Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against W32/Mofei-T (detected as Mal/Packer) since version 4.10.