high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | November 2007 (4.23) |
| Protection available since | 27 September 2007 03:54:59 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Mofei-X is a worm for the Windows platform.
The worm has the ability to inject itself into other processes as an attempt to hide itself.
The worm provides backdoor access and control over the computer by creating a port (backdoor) and then listening for instructions being sent from a remote client.
The remote intruder will be able to carry out a variety of actions, including geting a Windows command shell, getting a content listing for selected folders, deleting files and folders, executing files and downloading files from the internet.
When first run W32/Mofei-X copies itself to <Temp>\Del1.tmp and creates the following files:
<Root>\1.hiv - may be deleted
<Root>\2.hiv - may be deleted
<System>\drivers\localpsrv.sys
<System>\localpsrv.dat - can be safely deleted
<System>\localpsrv.tbl - detected as W32/Mofei-X
<System>\localpst.dll - detected as W32/Mofei-X
The file localpsrv.sys is detected as Troj/RKPort-Fam.
The file localpst.dll is registered as a new service named "LocalPassSvcs". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\LocalPassSvcs
|
