Aliases: W32/MoFei.worm, WORM_MOFEI.D, W32/Mofei-B, Worm.Win32.Mofeir.c
Variants: Net-Worm.Win32.Mofeir.w, WORM_MOFEI.A, WORM_MOFEI.AK

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Moderate
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 14 Jul 2003
Damage: Medium

Characteristics: W32.Femot.D.Worm is a worm considered as a network-aware. It has backdoor capabilities and is compressed with ASPack. This means that it can access the Windows command shell “Cmd.exe” or “Command.com.” It also runs executable files while consequently downloading files from the Internet. And lastly, it may delete/create files and folders. The continuous deletion of important files or folders may cause your windows to run badly or even crash.

More details about W32.Femot.D.Worm

All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. The existence of the file Lasvr32.exe is an indication of a possible infection. This is the copy of the virus that is being copied in the windows directory folder. The worm also attempts to connect to other computers either as the current user or as Administrator. It uses the following passwords: stgzs, security, super, oracle, secret, root, admin, password, passwd, pass, 88888888, 888888, 00000000, 000000, 11111111, 111111, 111, fan@ing*, 54321, 654321, 12345678, 1234567, 123456, 12345, 1234, 123 and 12. The words uses the mentioned passwords to connect and run Navpw32.exe as a service. It also adds the service "Smart Card Helper," and sets it to run in window directory folder as Lasvr32.exe file. If it is already installed, the worm attempts to replace the service with itself. The worm also connects to the following websites by TCP port 8080 or 1080. These website are “google.ods.org” and “windowsupdate.daemon.sh.”

It is believed that the W32.Femot.D.Worm infection will allow attackers to remotely control a computer by sending commands to the user’s computer. The computer may be instructed to download and upload files, install and disable some applications, spread threats, and even delete all files stored in the user’s computer. According to some experts, the W32.Femot.D.Worm program automatically downloads unsolicited files into the computer without the consent of the user. It may download or install malicious files, Trojans, viruses and worms from remote servers to a user’s computer. It may even try to install other surveillance and advertising software.