Event ID - 20005

Port No20005
Service NameMosucker
RFC Doc0
ProtocolTCP
DescriptionWorks on Windows 95, 98 and ME. SMS notify for German users.
Reference LinkMosucker
AttackRegisters:
HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Files:
Mosucker.zip - 80,835 bytes Mosuck11.zip - 213810 bytes Mosucker1.1.zip - 214,191 bytes Mosucker1.12srv.zip - Mosucker2.0.zip - Mosucker2.1b.zip - Mosucker2.11.zip - Mosucker.exe - 133,120 bytes Mosucker.exe - 196,680 bytes Mosucker2.0.exe - 9,936 bytes Server.exe - 49,770 bytes Server.exe - 139,264 bytes Editserver.exe - 51,712 bytes Unin0686.exe - Winmm.dll - 65,536 bytes Msnetcfg.exe - 6,452 bytes Calc.exe - Http.exe - Mswinupd.exe - Ars.exe - Netupdate.exe Register.exe - Pkg6112.exe - [20 kb] Pkg6135.exe - [76 kb] (Pkg-files with other numbers exists as well) RQKUKIWC.exe - DADRUQ.exe - DFJCWD.exe - BMGPAD.exe - BRMADO.exe - BWSKFA.exe - BCYUH.exe - BHFQX.exe - QHXCEM.exe - OXIIOIFR.exe - DVVJPHAY.exe - KNJTUHH.exe - ORCMW.exe - FVEGPYYL.exe - PLYOQMMC.exe - TUTGVCN.exe -

Actions:
Remote Access
May alter System.ini and/or Win.ini. One can choose to let Mosucker randomly decide what autostart method to use. Produces an error message while installing ""Could not find setuplog.bat"" which apparently is used for autostarting. It copies itself to $temp first, as a file named pkg*.exe, ""pkg"" being a fix string. It also copied itself to $windows/unin0686.exe.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.