> Spyware Encyclopedia Page 89 > Mosucker

Mosucker removal

Spyware Mosucker Information
Name: Mosucker Category: RAT Date: 2000-01-06 Author: Krusty Coded in: Visual Basic 6. Requires MSVBVM60.dll, MSWINSCK.ocx. Compressed with UPX. Dangerous: Yes

Mosucker belongs to RAT spyware category.
Features: key logger, transfer, info, restart, browser, chat, "fun". Superchachi created 3.0a & 3.0b from source supplied by Krusty. MoSucker ErEbuS was created by ErEbuS from source supplied by Krusty. It's presense means that your computer is infected with malicious software and is insecure.

Mosucker description by Krusty:

Creator: ´ MoSucker is a backdoor trojan, coded with Visual Basic 6. The server needs the vb6-runtime-dll msvbvm60.dll. It does no longer need any ocx-any file (you can change this in the EditServer) This trojan is written for Windows 95/98, it wasn´t tested on other platforms like 98se, NT & 2K, but it should work there, too. MoSucker is the best or one of the best trojans ever applicationmed with vb. Have fun with it!´ 2.30: Vendor: ´This list will kill (terminate) all well-known firewalls & Anti-Virus applications currently running on the victim´s system. It´ll NOT delete or currupt these applications, it´ll just stop them.´ 3.0a: Vendor: ´This list will kill (terminate) all well-known firewalls & Anti-Virus applications currently running on the victim´s system. It´ll NOT delete or currupt these applications, it´ll just stop them. Kills ZoneAlarm (Including Pro), LockDown, Norton AntiVirus, Trojan Check, Trojan 1st Aid Kit, Microsoft Visual Studio Spy utilitys, Dr. Watson, RegEdit, The Cleaner, Trojan Defense Suit 3, Anti Trojan, Dr. Solomon, Norton Utilities, McAffee Virus scan, Kaspersky Anti Virus RegRun II, Tau Watch, ANTS & AtGuard ... & others´ MoSucker 3.0b - Released Nov. 20th 2002 !!IMPORTANT!! 1) MoSucker 3.0b servers are not compatible with the MoSucker 3.0a edit server. 2) If you get any runtime errors, execute Runtimes.exe in the runtimes folder. 3) Check the announcements in the forum for the recent public CGI locations. 4) The edit server can not change the icon for servers that include the runtimes. Use reshacker or microangelo. Icon is 32x32 16 colors Changes/bugfixes for 3.0b - Modification of settings encryption for increased server security. - Edit server & client install runtimes if needed (since nobody can read). - MSN notification protocol error fixed. - MSN notification no longer gives visible error message when service is down. - Kill running system process checkbox error on reload fixed. - File exists routine for bound any file fixed (bug rare) - Improved error handling in edit server. - Removed webdl.ocx dependancy.MoSucker ErEbuS: Ive packadged the mosucker trojan into a new trojan installer that compresses the file differently. This also installs the visual basic 6.0 runtimes with it. Copies file to system directory quietly & runs mosucker. Ofcourse, after it runs the mosucker server, the antivirus will pick it up. I leave this problem to you. These are the attached server´s settings: port: 1037 (default) filename: wsvchost.exe deny local connections events: deleting/restoring of netstat & kills the threads of avs/fw melts the install ErEbuS

This RAT is also known as:

•Backdoor.Mosuck.11.
• Backdoor.Mosuck.20.
• Backdoor.Mosuck.21.a.
• Backdoor.Mosuck.21.b.
• Backdoor.MoSuck.30.
• Backdoor.MoSucker.10.
• Backdoor.MoSucker.10 - named by Kaspersky.
• Backdoor.Mosucker.20.a - named by a.
• Bckdoor.MoSucker.22.plugin.
• Backdoor.MoSucker.23.
• Backdoor.MoSucker.30.a.
• Backdoor.MoSucker.30.b.
• Backdoor.Win32.MoSucker.10 - named by Kaspersky.
• Backdoor/MoSucker - named by Computer Associates.
• Backdoor/MoSucker_Client - named by Computer Associates.
• BackDoor-EE - named by McAfee.
• BackDoor-EE.svr - named by McAfee.
• Bck/Mosuck.1.0 - named by Panda.
• security risk or a "backdoor" program - named by F-Prot.
• Win32.Mosuck.A - named by Computer Associates.

>> Delete Mosucker automatically - Download Spyware Doctor

Mosucker Removal Instructions
Kill the following processes backdoor.mosucker.11.exe, createserver.exe, editserver 2.0.exe, editserver.exe, free pink.exe, mosucker 2.0.exe, mosucker.exe, pics.zip.exe, server.exe, server1.exe, server2.exe, server3.exe, server4.exe, server5.exe, skinmaker.exe, jthh.exe, msnetcfg.exe, svr.exe, pkg310.exe, pkg332.exe, pkg3392.exe, unin0686.exe, vvuijoe.exe, v young.exe, w32mos~1.exe, w32mos~2.exe
Unregister the following DLLs and reboot moicons.dll. buxyelbk.dll in Windows\
Delete these registry entries HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{beuicvq-zpdev-zyk-oswoz-ipcjbgekjhf} HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{eengqgs-gdrfc-zzvzd-thmp-dnvpuihfkre} HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{hmcsqss-ejo-sdbyh-rcwb-ypenjkwjze} HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{mbubrwf-krfhc-cpg-qygw-lrjscpnsur} HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{rtemrsp-vhe-kgsoz-enjdg-tdtfhwtknffn}
Remove the following files 1.stub, 2.stub, 3.stub, avkill_large.ini, avkill_small.ini, backdoor.mosucker.11.exe, bios killer plugin readme.txt, bios killer plugin v1.0.gui, bios_killer_plugin.msp, build.stub, createserver.exe, data.tag, editserver 2.0.exe, editserver.exe, fake login readme.txt, fake login.gui, fakelogin.msp, free pink.exe, front.jpg, fuck me!!!!!.vbs, get.cgi, help+tutorial.chm, help.chm, htm.cgi, infector readme.txt, infector.gui, infector.msp, moicons.dll, mosucker 2.0.exe, mosucker.chm, mosucker.exe, mosucker.ini, msn mass message readme.txt, msn message v2 readme.txt, msn message v2.gui, msn message.gui, msnmsgv2.msp, new default.title.gif, newfeatures.txt, pics.zip.exe, picture 26.jpg, pictures[1].txt, put.cgi, read me.txt, readme.txt, runtimes.txt, server.exe, server1.exe, server2.exe, server3.exe, server4.exe, server5.exe, setup.ini, setup.ins, skin.ini, skinmaker.exe, superclicks readme.txt, superclicks.gui, superclicks.msp, tapisvc.sys.txt, thumbs.db, v young.exe, w32mosuck20.vex, w32mosuck21.vex, w32mos~1.exe, w32mos~2.exe, webdl.ocx. buxyelbk.dll, jthh.exe, msnetcfg.exe, qirqgs.bin, unin0686.exe, vvuijoe.exe, wesapygp.sys, winexec32.dli, xqwrmthm.sys in Windows\ svr.exe in Windows\system\ pkg310.exe, pkg332.exe, pkg3392.exe in Windows\temp\

Bookmark Mosucker page

Previous Spyware: Remove Mosquito Net 404 1.0b3.3

Next Spyware: Remove MoSucker 1.0