MOCBOT


 ALIASES:

Mosucker, MoSucker_30, Mosuck

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


MOCBOT, also known as MOSUCKER, is a family of backdoors that may be downloaded unknowingly by the user. It has been around since 2000.

It is a family of remote administration tools (RATs). It is used to gain control of the computer it infects. It can do the following:

  • Download and execute other files

  • Delete files

  • Log keystrokes or steal sensitive data

  • Run or terminate applications

  • Upload files

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs

Installation

This backdoor drops the following file(s)/component(s):

  • %System%\mswinsck.ocx

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %System%\Updater.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "%System%\Updater.exe"

Other Details

This backdoor connects to the following possibly malicious URL:

  • ratnetwork.{BLOCKED}p.net
  • d3xter.{BLOCKED}h.cx
  • proxy1.{BLOCKED}s.com
  • {BLOCKED}.{BLOCKED}.110.103