MoSucker is a Visual Basic trojan. MoSucker's edit server program lets the infection routine be changed and notification information set. MoSucker can auto load with the system.ini and/or the registry. Unlike any other trojan, MoSucker can be set to randomly choose with which method to auto load. MoSucker can notify cell phones via SMS in Germany only. MuSucker's edit server has more features then the previous version. Now the MoSucker server can gain X number of kilobytes (X is either a static number or it is random each time). The standard error message for MoSucker is "Zip file is damaged, truncated, or has been changed since it was created. If you downloaded this file, try downloading again.". Here is a list of file names MoSucker suggest to name the server: MSNETCFG.exe, unin0686.exe, CaIc.exe, HTTP.exe, MSWINUPD.exe, Ars.exe, NETUPDATE.exe and Register.exe.
How To Remove
Quick fix: no quick fix programs
Manual removal:
Note: %trojan file% can be any file. Usually %trojan file% is MSNETCFG.exe. Also the registry key can be changed from ~tmpunin.
- Close %trojan file%. If you can not close the trojan file then reboot into DOS. Once in DOS open the system.ini and change shell=Explorer.exe %trojan file% to shell=Explorer.exe. Then delete the %trojan file% and follow the step 3 to remove it from the registry.
- If shell=Explorer.exe %trojan file% exists then change it to shell=Explorer.exe under [boot] in the system.ini. Which can be done with any other text editing program
- If ~tmpunin key exists then remove it in the registry located at eitherHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run orHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
- Delete the trojan file %trojan file% in the windows directory.
Quick fix: no quick fix programs
Manual removal:
Note: %trojan file% can be any file. Usually %trojan file% is MSNETCFG.exe. Also the registry key can be changed from ~tmpunin.
- Close %trojan file%. If you can not close the trojan file then reboot into DOS. Once in DOS open the system.ini and change shell=Explorer.exe %trojan file% to shell=Explorer.exe. Then delete the %trojan file% and follow the step 3 to remove it from the registry.
- If shell=Explorer.exe %trojan file% exists then change it to shell=Explorer.exe under [boot] in the system.ini. Which can be done with any other text editing program
- If ~tmpunin key exists then remove it in the registry located at eitherHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run orHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Which can be done with regedit or any other registry editing program.
- Delete the trojan file %trojan file% in the windows directory.