Aliases: Mocbot.A, Win32.Esbot.M, WORM_MOCBOT.A
Variants: IRC-Mocbot [McAfee], IRCBot.NT

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 23 Oct 2005
Damage: Low

Characteristics: The worm W32.Mocbot.A is a malware with backdoor capabilities. This worm also takes advantage of the Plug and Play Buffer Overflow vulnerability of Microsoft Windows operating systems. There is a vulnerability related to remote code execution in the PnP or Plug and Play feature of Windows that can permit full access to a remote hacker if he successfully exploits the vulnerability. With this exploit, a hacker can create accounts with complete user rights, install programs and delete, change or view data.

More details about W32.Mocbot.A

Once executed in the target machine, the W32.Mocbot.A worm will copy itself as a file with an .exe extension. It will create 2 registry entries so that it can create a service with the name ‘wudpcom’, and the display name ‘Windows UDP Communication’. It will also add a value to a particular registry key to deactivate DCOM. This worm will likewise add another value to a registry key so as to hinder the host‘s NULL session enumeration. This security risk is capable of injecting a program to the explorer.exe process to delete the worm’s original file. The W32.Mocbot.A will also create a .log file. It will then proceed to open up a back door in the system by connecting to IRC domains via the 18067 TCP port. After opening a backdoor in the compromised machine, the W32.Mocbot.A worm will create a backdoor bot which will enable a remote hacker to execute a host of malicious tasks in the system.

With the bot, the worm can retrieve and run files, flush the DNS cache, launch DoS or Denial of Service attacks like UDP or SYN flood attacks and find files. This security threat also creates a mutex to make sure that only a single instance itself is running in memory. Remove the malware infection starting by rebooting the system in Safe mode and then ending the worm’s process in the Task Manager. Find all the worm’s added files and then proceed to edit the registry. Next, restore RestrictAnonymous and EnableDCOM registries. Lastly, download and install the patch that fixes the Windows vulnerability exploited by the worm.