- Virus is 32bit with a compressed size of 42,949
bytes – virus also carries a .DLL component
with a size of 20,480 bytes
- Virus has a dependency on PSAPI.DLL which may not
exist on Windows 98 systems
- Virus uses imports from MPR.DLL to add network
connections after first enumerating available machines
on the network – virus attempts to connect to
any machine found and infect it by copying itself
to that system
- If virus is run on a target system, it may copy
itself to the Windows\System32 folder as “SCARDSVR32.EXE”
along with “SCARDSVR32.DLL” and also modify
the registry to load at Windows startup –
”ScardDrv” = (Windows\System32)\SCARDSVR32.EXE -v
- The .DLL component contains instructions which
allows the .EXE file to run as a remote access Trojan
– it supports the use from client access instructions
such as the following –
ver: show version.
exit: exit this program.
passwd: change password.
passwd [newpassword] [re-newpassword]
port: change port.
port [newport] [re-newport]
cmd: get windows command shell.
pwd: get current directionary.
cd: change directionary.
dir: list files.
del: delete a file.
mkdir: make new directionary.
rmdir: remove a directionary.
exec: exec a DOS command.
- Virus attempts to locate the following specific
IP addresses and connect to them using a dictionary
list of logon names in an effort to propagate further
- These addresses typically reside within a multi-user
network and commonly behind a firewall and/or router
- Virus attempts to copy itself to the $ADMIN\System32
folder if it can successfully connect to any of the
target IP addresses
- Virus contains the string “MoFei.VER 126.96.36.199