W32.Mogi


Aliases: Worm@W32.Mogi
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: Asia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 21 Nov 2005
Damage: Low

Characteristics: The W32.Mogi malware is a peer to peer or P2P network worm that propagates its code via file sharing networks. This worm can also lower the infected machine’s security settings by altering the computer’s settings. This malware is likewise capable of opening a backdoor in the victim machine and performing DOS or denial of service attacks on third party systems.

More details about W32.Mogi

P2P worms such as the W32.Mogi copy their code in a shared folder in the victim machine. These shared folders are folders of P2P file sharing clients such as KaZaa, emule, Limewire, Gnucleus, Morpheus, Bearshare, Donkey2000 and ICQ. When the malware has successfully planted its copy with a harmless name, the P2P network will take control. The network will notify other users of the new shares or resources and will grant the framework for downloading and running the infected file. Upon execution in the compromised machine, the W32.Mogi will copy itself and will add a value to a registry copy which will permit it to execute with Windows upon startup. Then, it will create the ‘iexplore’ mutex that will ensure that only a single copy if the malware executes on the infected machine.

This malware will likewise terminate all processes that are security related thereby decreasing the security settings of the machine. Next, the W32.Mogi worm will drop several executable files and a DLL file that will pose as a rootkit. This DLL file will be injected by the worm to the system’s processes and will effectively mask the executable files that the worm has dropped. The worm will also hide a DLL file if present in the machine and launch DOS or denial of service attacks on particular domains. Remove the malware form the system by first ending its process layer.exe in the Windows Task Manager. Search for all the worm’s added files and go on to edit the registry.