Home / malwarePDF  

MSIL/Mofin


First posted on 23 September 2014.
Source: Microsoft

Aliases :

There are no other names known for MSIL/Mofin.

Explanation :

Threat behavior

Installation

MSIL/Mofin creates or copies itself into the following files:

  • \Programs\Startup\svchost..exe
  • %USERPROFILE% \Documents\suchost..exe


It the checks if \svchost.exe is running. If not, it will run a copy and then terminate itself.

Spread via...

Removable drives

MSIL/Mofin can create the following copy on removable drives, such as USB flash drives:

  • :\\movies.exe


It can also create an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Steals your documents

MSIL/Mofin searches your PC for files with the following extensions:

  • .doc
  • .docx
  • .pdf
  • .xls
  • .xlsx


It then copies the files it finds and sends them to a malicious hacker using a predefined email address via SMTP.

It creates one the following files to mark the action of sending files has been completed:

  • %PUBLIC% \Documents\wsystem.vx
  • %SystemRoot% \system\wsystem.vx




Analysis by Steven Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    \Programs\Startup\svchost..exe
    %USERPROFILE%\Documents\svchost.exe

Last update 23 September 2014

 

TOP

Malware :