MoSucker

Name:	MoSucker
Aliases:	Backdoor.Mosucker, Pkg, Moosucker, Mosuc, Backdoor.EE,
Ports:	1037, 16484, 20005 (ports can be changed)
Files:	Mosucker.zip - 80,835 bytes Mosuck11.zip - 213810 bytes Mosucker1.1.zip - 214,191 bytes Mosucker1.12srv.zip - 42,276 bytes Mosucker2.0.zip - 470,740 bytes Mosucker2.1b.zip - 610,716 bytes Mosucker2.11.zip - 599,511 bytes Mosucker2.2.zip - 819,493 bytes Mosucker_22.zip - 819,626 bytes Mosucker99.zip - Ms11is.zip - 1,593,629 bytes Eventseditor.zip - Mo_cgi.zip - Plugin_maker.zip - Skinmaker.zip - Mosucker.exe - 133,120 bytes Mosucker.exe - 196,680 bytes Mosucker.exe - 384,542 bytes Mosucker.exe - 390,174 bytes Mosucker.exe - 905,216 bytes Mosucker2.0.exe - 295,966 bytes Server.exe - 45,162 bytes Server.exe - 49,770 bytes Server.exe - 49,773 bytes Server.exe - 139,264 bytes Server.exe - 171,328 bytes Server.exe - 185,818 bytes Server.exe - 186,212 bytes Editserver.exe - 51,712 bytes Editserver.exe - 149,007 bytes Editserver 2.0.exe - 143,375 bytes Unin0686.exe - Rundil.exe - Winmm.dll - 65,536 bytes Webdl.ocx - 32,768 bytes Mosucker.chm - 25,364 bytes Help.chm - 24,922 bytes Skinmaker.exe - 14,848 bytes Skin.ini - 1,067 bytes Msnetcfg.exe - 6,452 bytes Createserver.exe - 212,992 bytes Calc.exe - Http.exe - Mswinupd.exe - Ars.exe - Netupdate.exeRegister.exe - Pkg6112.exe - [20 kb]Pkg6135.exe - [76 kb](Pkg-files with other numbers exists as well)Bios killer plugin v1.0.gui - 831 bytes Bios_killer_plugin.msp - 9,728 bytes Upx.exe - 88,576 bytes Setup.exe - 59,904 bytes Setup.ini - 69 bytes Setup.ins - 56,417 bytes Setup.lid - 49 bytes 1.stub - 139,264 bytes 2.stub - 212,992 bytes _inst321.ex_ - 300,143 bytes _isdel.ex_ - 8,192 bytes _setup.dll - 12,312 bytes _sys1.cab - 187,806 bytes _user1.cab - 45,509 bytes Data.tag - 119 bytes Data1.cab - 1,054,939 bytes Lang.dat - 4,557 bytes Layout.bin - 353 bytes Os.dat - 417 bytes BCYUH.exe - BHFQX.exe - BMGPAD.exe - BRMADO.exe - BWSKFA.exe - DADRUQ.exe - DFJCWD.exe - DVVJPHAY.exe - FVEGPYYL.exe - KNJTUHH.exe - ORCMW.exe - OXIIOIFR.exe - PLYOQMMC.exe - QHXCEM.exe - RQKUKIWC.exe - TUTGVCN.exe - Vvuijoe.exe - Winstart.bat - Xqwrmthm.sys - anyue.log - [= copy of MSNETCFG.exe]Netstat.old - [= copy of Netstat.exe]
Created:	Dec 1999
Requires:	Standard Visual Basic 6 runtime files and Mswinsck.ocx - are required to run the trojan.
Actions:	Anti-protection trojan / Remote Access / Keylogger / Downloading trojan / LAN trojan
Registers:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
Notes:	Works on Windows 95, 98, ME, NT, 2000 and XP. Telnet can also be used as client. SMS notify for German users only.
Country:	written in Germany
Program:	Written in Visual Basic 6.0.

© Copyright von Braun Consultants. This information may include technical inaccuracies or typographical errors. If you have any questions or further information about the actual trojan above, please contact Joakim von Braun at <joakim.von.braun@risab.se>