W32/MoFei.worm, WORM_MOFEI.D, W32/Mofei-B, Worm.Win32.Mofeir.c
Net-Worm.Win32.Mofeir.w, WORM_MOFEI.A, WORM_MOFEI.AK
Category: Computer Worm
Europe, North and South America, and some parts of Asia and Australia
14 Jul 2003
W32.Femot.D.Worm is a worm considered as a network-aware. It has backdoor capabilities and is compressed with ASPack. This means that it can access the Windows command shell “Cmd.exe” or “Command.com.” It also runs executable files while consequently downloading files from the Internet. And lastly, it may delete/create files and folders. The continuous deletion of important files or folders may cause your windows to run badly or even crash.
W32.Femot.D.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Femot.D.Worm from your computer.
More details about W32.Femot.D.Worm
All platforms of windows are vulnerable to this worm, may it be Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. The existence of the file Lasvr32.exe is an indication of a possible infection. This is the copy of the virus that is being copied in the windows directory folder. The worm also attempts to connect to other computers either as the current user or as Administrator. It uses the following passwords: stgzs, security, super, oracle, secret, root, admin, password, passwd, pass, 88888888, 888888, 00000000, 000000, 11111111, 111111, 111, [email protected]
*, 54321, 654321, 12345678, 1234567, 123456, 12345, 1234, 123 and 12. The words uses the mentioned passwords to connect and run Navpw32.exe as a service. It also adds the service "Smart Card Helper," and sets it to run in window directory folder as Lasvr32.exe file. If it is already installed, the worm attempts to replace the service with itself. The worm also connects to the following websites by TCP port 8080 or 1080. These website are “google.ods.org” and “windowsupdate.daemon.sh.”
It is believed that the W32.Femot.D.Worm infection will allow attackers to remotely control a computer by sending commands to the user’s computer. The computer may be instructed to download and upload files, install and disable some applications, spread threats, and even delete all files stored in the user’s computer. According to some experts, the W32.Femot.D.Worm program automatically downloads unsolicited files into the computer without the consent of the user. It may download or install malicious files, Trojans, viruses and worms from remote servers to a user’s computer. It may even try to install other surveillance and advertising software.