| Port No | 20005 |
| Service Name | MoSucker |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | MoSucker 2.1 is a Visual Basic trojan. MoSucker has a edit server program, which lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other trojan, MoSucker can be set to randomly choose with which method to auto load. MoSucker can notify cell phones via SMS in Germany only. The standard error message for MoSucker 2.1 is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again.". Here is a list of file names MoSucker suggest to name the server: MSNETCFG.exe, unin0686.exe, CaIc.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe, Register.exe, RQKUKIWC.exe, DADRUQ.exe, DFJCWD.exe, BMGPAD.exe, BRMADO.exe, BWSKFA.exe, BCYUH.exe, BHFQX.exe, QHXCEM.exe, OXIIOIFR.exe, DVVJPHAY.exe, KNJTUHH.exe, ORCMW.exe, FVEGPYYL.exe, PLYOQMMC.exe and TUTGVCN.exe. Also note that this version of MoSucker has many extra protection features, which makes removal much harder. First MoSucker can be configured so it will write its auto load methods when the server is closed (Example if the server is auto loading with the registry and you close the server file it will rewrite this the registry key while it is closing). |
| Reference Link | MoSucker Trojan |
| Attack | It autoloads the Registry: Can be system.ini and/or registry It does the following : Beep Caps lock on/off Chat with victim Clipboard manager Close/Remove server Control mouse Crash System File manager Flip screen either vertically or horizontally Freeze screen Get passwords entered by user Get/Set screen resolution Get system info Go to URL Hang up internet Hide/Show start button Hide/Show system tray Hide/Show task bar Key logger Minimize all windows Open/Close CD-Rom Ping server Popup startmenu Print text Process manger Search for files Send message Shutdown/Reboot/Standby/Logoff/Dos mode server Systemkeys on/off Window manager Removal : 1.Close the %trojan file%. If you are not sure which file runing is the %trojan file% then read the following steps. Each step has a reference to %trojan file%, if this reference is runing then you have found the %trojan file% (Example if you find shell=explorer.exe msnetcfg.exe and msnetcfg.exe is runing. Then this is your %trojan file%). This can be done with our program Trojan B' Gone. If you can't close the %trojan file% you will have to use removal method 2. 2. If shell=Explorer.exe %trojan file% exists under [boot] in the system.ini, then change it to shell=Explorer.exe. Which can be done with any other text editing program 3. If wsockcfg key exists then remove it in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program. 4. Open the winstart.bat and find the following lines (without quation marks): Line 1:"if exists c:\windows\%trojan file% then goto it_exists" Line 2:"copy %windir%\%trojan file2% c:\windows\%trojan file%" Line 3:"it_exists". Write down the %trojan file2% and then remove all three lines from the winstart.bat. Which can be done with any other text editing program. 5. Open the wininit.ini and find the following line (without quation marks): Line 1:"[rename]" 6. Line 2:"c:\windows\%trojan file%=c:\windows\%trojan file2%". Remove both of these lines from the wininit.ini. Which can be done with any other text editing program 7. Delete both %trojan file% and %trojan file2%, which are both probably in the Windows directory. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.