W32/MoFei.worm.dr

This page shows details and results of our analysis on the malware W32/MoFei.worm.dr

Overview

W32/Mofei.worm.dr is a trojan that installs the W32/Mofei.worm virus upon opening of a malicious document or sefl-extracting (SFX) archive file.

Most recently, it is delivered via a specially crafted Microsoft Word document. This specially crafted Word document exploits a zero-day vulnerability in Microsoft Office 2000 to drop and execute a Win32 executable embedded inside the document.

 


Minimum Engine

5600.1067

File Length

Varies

Description Added

2004-04-21

Description Modified

2006-09-04

Malware Proliferation

Characteristics

W32/Mofei.worm.dr is a trojan that installs the W32/Mofei.worm virus upon opening of a malicious document or self-extracting (SFX) archive file.

Most recently, it is delivered via a specially crafted Microsoft Word document. This specially crafted Word document exploits a zero-day vulnerability in Microsoft Office 2000 to drop and execute a Win32 executable embedded inside the document.

When successful, it drops and executes an executable file which installs W32/Mofei.worm with the following filename(s)

  • %Windir%\System32\clipbook.exe
  • %Windir%\System32\clipbook.dll

The W32/Mofei.worm executable can be proactively detected in specific products with program heuristics as New Malware.n since DAT version 4677.

(Where %Windir% is the Windows folder, e.g. C:\Windows)

 

Symptoms

Presence of one or more of the following file(s) detected as W32/Mofei.worm:
  • %Windir%\System32\clipbook.exe
  • %Windir%\System32\clipbook.dll

(Where %Windir% is the Windows folder, e.g. C:\Windows)
 

Method of Infection

W32/Mofei.worm.dr can be mass spammed. Most recently, it is crafted as a Microsoft Word document that exploits a zero-day vulnerability in Microsoft Office 2000.

 

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants