MoSucker 2.0 is a Visual
Basic trojan. MoSucker's edit server program lets the infection routine
be changed and notification information set. MoSucker can auto load with
the system.ini and/or the registry. Unlike any other trojan, MoSucker can
be set to randomly choose with which method to auto load. MoSucker can
notify cell phones via SMS in Germany only. MuSucker 2.0's edit server
has more features then the previous version. Now the MoSucker server can
gain X number of kilobytes (X is either a static number or it is random
each time). The standard error message for MoSucker 2.0 is "Zip file is
damaged, truncated, or has been changed since it was created. If you downloaded
this file, try downloading again.". Here is a list of file names MoSucker
suggest to name the server: MSNETCFG.exe, unin0686.exe, CaIc.exe, HTTP.exe,
MSWINUPD.exe, Ars.exe, NETUPDATE.exe and Register.exe.
Note: This is a trojan
that can be submitted to us for analysis. We can possibly determine
for you the password that was used and the ICQ UIN, Email or Cell phone
number that was being notified. For more information on submitting trojan
files to us read here.
How To Remove
Quick fix: no quick
Note: %trojan file% can
be any file. Usually %trojan file% is MSNETCFG.exe.
Also the registry key can be changed from ~tmpunin.
file%. If you can not close the trojan file then reboot into DOS.
Once in DOS open the system.ini and change shell=Explorer.exe
%trojan file% to shell=Explorer.exe. Then delete the %trojan
file% and follow the step 3 to remove it from the registry.
%trojan file% exists then change it to shell=Explorer.exe under
[boot] in the system.ini. Which can be done with any other text editing
key exists then remove it in the registry located at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Which can be done with regedit or any other registry editing program.
Delete the trojan file
file% in the windows directory.