| Port No | 20005 |
| Service Name | Mosucker |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Works on Windows 95, 98 and ME. SMS notify for German users. |
| Reference Link | Mosucker |
| Attack | Registers: HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Files: Mosucker.zip - 80,835 bytes Mosuck11.zip - 213810 bytes Mosucker1.1.zip - 214,191 bytes Mosucker1.12srv.zip - Mosucker2.0.zip - Mosucker2.1b.zip - Mosucker2.11.zip - Mosucker.exe - 133,120 bytes Mosucker.exe - 196,680 bytes Mosucker2.0.exe - 9,936 bytes Server.exe - 49,770 bytes Server.exe - 139,264 bytes Editserver.exe - 51,712 bytes Unin0686.exe - Winmm.dll - 65,536 bytes Msnetcfg.exe - 6,452 bytes Calc.exe - Http.exe - Mswinupd.exe - Ars.exe - Netupdate.exe Register.exe - Pkg6112.exe - [20 kb] Pkg6135.exe - [76 kb] (Pkg-files with other numbers exists as well) RQKUKIWC.exe - DADRUQ.exe - DFJCWD.exe - BMGPAD.exe - BRMADO.exe - BWSKFA.exe - BCYUH.exe - BHFQX.exe - QHXCEM.exe - OXIIOIFR.exe - DVVJPHAY.exe - KNJTUHH.exe - ORCMW.exe - FVEGPYYL.exe - PLYOQMMC.exe - TUTGVCN.exe - Actions: Remote Access May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.