We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Backdoor:Win32/Mocbot.A
Detected by Microsoft Defender Antivirus
Aliases: IRC-Mocbot!MS06-040 (McAfee) W32.Wargbot (Symantec) WORM_IRCBOT.JL (Trend Micro) W32/Cuebot-L (Sophos) Backdoor:Win32/Graweg.A (other)
Summary
Backdoor:Win32/Mocbot.A is an IRC trojan that connects to an IRC channel and awaits commands from remote attackers. When instructed, Backdoor:Win32/Mocbot.A begins searching the local network for systems which have not yet applied the Microsoft Windows Server service security patch described in Microsoft Security Bulletin MS06-040. The trojan also includes the ability to send messages via AOL Instant Messenger (AIM) and ICQ.
The exploit code used by Backdoor:Win32/Mocbot.A is only effective against un-patched systems. The trojan can still infect patched versions of Windows by means other than exploit. For example, Backdoor:Win32/Mocbot.A could be distributed as an e-mail attachment, or a link to the trojan could be sent to e-mail or AIM recipients.
Backdoor:Win32/Mocbot.A may lower security settings on infected systems and allows the system to be used for nefarious purposes, such as launching a denial of service (DoS) attack against others. Backdoor:Win32/Mocbot.A includes the ability to download other files, thus the trojan could update its functionality or download additional malicious software to infected systems.
Backdoor:Win32/Mocbot.A has been assigned CME ID 482 and will be detected by Microsoft as Backdoor:Win32/Mocbot.A!CME-482.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Follow us
