MoSucker (2.0)
Server name: MoSucker
Version: 2.0
Different versions:  [1.0][1.1][2.0][2.1][2.1b]
Tested: Yes, on Windows 95 and Windows NT
Server size: 167K
Server files: MSNETCFG.exe
Server icon:

Infects: Windows 95/98/ME 
Autloads: Can be system.ini and/or registry
Default port: 20005 TCP
Can port be changed: Yes

Server Features

  • Beep
  • Caps lock on/off
  • Chat with victim
  • Clipboard manager
  • Close/Remove server
  • Control mouse
  • Crash System
  • File manager
  • Flip screen either vertically or horizontally
  • Freeze screen
  • Get passwords entered by user 
  • Get/Set screen resolution
  • Get system info
  • Go to URL
  • Hang up internet
  • Hide/Show start button
  • Hide/Show system tray
  • Hide/Show task bar
  • Key logger
  • Minimize all windows
  • Open/Close CD-Rom
  • Ping server
  • Popup startmenu
  • Print text
  • Process manger
  • Search for files
  • Send message
  • Shutdown/Reboot/Standby/Logoff/Dos mode server
  • Systemkeys on/off
  • Window manager 

 
Comments 
MoSucker 2.0 is a Visual Basic trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other trojan, MoSucker can be set to randomly choose with which method to auto load. MoSucker can notify cell phones via SMS in Germany only. MuSucker 2.0's edit server has more features then the previous version. Now the MoSucker server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker 2.0 is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again.". Here is a list of file names MoSucker suggest to name the server: MSNETCFG.exe, unin0686.exe, CaIc.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe and Register.exe.

Note: This is a trojan that can be submitted to us for analysis. We can possibly determine for you the password that was used and the ICQ UIN, Email or Cell phone number that was being notified. For more information on submitting trojan files to us read here.

How To Remove 
Quick fix: no quick fix programs
Manual removal: 
Note: %trojan file% can be any file. Usually %trojan file% is MSNETCFG.exe. Also the registry key can be changed from ~tmpunin.

  1. Close %trojan file%. If you can not close the trojan file then reboot into DOS. Once in DOS open the system.ini and change shell=Explorer.exe %trojan file% to shell=Explorer.exe. Then delete the %trojan file% and follow the step 3 to remove it from the registry.
  2. If shell=Explorer.exe %trojan file% exists then change it to shell=Explorer.exe under [boot] in the system.ini. Which can be done with any other text editing program
  3. If ~tmpunin key exists then remove it in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
  4. Delete the trojan file %trojan file% in the windows directory. 

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.