Backdoor:Win32/Mosucker.AA allows unauthorized access and control of an affected computer.
Installation
When executed, Backdoor:Win32/Mosucker.AA copies itself to <system folder>\updater.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Windows Update"
With data: "c:\windows\system32\updater.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
The malware creates the following files on an affected computer:
The malware registers the file <
system folder>\mswinsck.ocx, using the Windows utility regsvr32.exe with the /s parameter. Regsvr32.exe is a program that is used to register or unregister a COM (Component Object Model) DLL (dynamic link library). The /s parameter allows regsvr32 to run silently without displaying any messages. This action may result in the following registry modifications:
Adds value:"(default)"
With data: "microsoft winsock control, version 6.0"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}
Adds value:"(default)"
With data: "c:\windows\system32\mswinsck.ocx"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32
Adds value:"(default)"
With data: "{248dd896-bb45-11cf-9abc-0080c7e7b78d}"
To subkey: HKLM\SOFTWARE\Classes\MSWinsock.Winsock\CLSID
Adds value:"(default)"
With data: "{248dd896-bb45-11cf-9abc-0080c7e7b78d}"
To subkey: HKLM\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID
Adds value:"(default)"
With data: "mswinsock.winsock"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID
Adds value:"(default)"
With data: "mswinsock.winsock.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID
Adds value:"(default)"
With data: "{248dd890-bb45-11cf-9abc-0080c7e7b78d}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib
Adds value:"(default)"
With data: "1.0"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version
Adds value:"(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus
Adds value:"(default)"
With data: "132497"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1
Adds value:"(default)"
With data: "c:\windows\system32\mswinsck.ocx, 1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32
Payload
Allows backdoor access and control
Backdoor:Win32/Mosucker.AA allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Mosucker.AA. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 d379b0607f741f0138a9d628b5148514654f3643.
