MOCBOT
Mosucker, MoSucker_30, Mosuck
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
MOCBOT, also known as MOSUCKER, is a family of backdoors that may be downloaded unknowingly by the user. It has been around since 2000.
It is a family of remote administration tools (RATs). It is used to gain control of the computer it infects. It can do the following:
- Download and execute other files
- Delete files
- Log keystrokes or steal sensitive data
- Run or terminate applications
- Upload files
TECHNICAL DETAILS
Installation
This backdoor drops the following file(s)/component(s):
- %System%\mswinsck.ocx
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %System%\Updater.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update = "%System%\Updater.exe"
Other Details
This backdoor connects to the following possibly malicious URL:
- ratnetwork.{BLOCKED}p.net
- d3xter.{BLOCKED}h.cx
- proxy1.{BLOCKED}s.com
- {BLOCKED}.{BLOCKED}.110.103