Aliases: W32/Mocon
Variants: Mocon

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 26 Apr 2009
Damage: Medium

Characteristics: This malware is an autorun worm that is capable of logging keystrokes and stealing information from a victim computer. Its spreading method involves copying its code to every available removable drive. The Autorun function exploited by this worm is a convenience feature of Windows that may actually cause harm when used by malicious users. Autorun basically allow selected files to run in the event that an autorun enabled drive like a USB, is inserted in the computer system.

More details about W32.Mocon

When run in the host machine, the W32.Mocon worm will create an .exe file and an autorun.inf file. The autorun feature permits exe files on a drive to be executed immediately when the drive is used. This feature functions via the autorun.inf file. Once a drive is used, the operating system will scan for the presence of the file autorun.inf and if located, it will automatically follow the commands written on the file. The W32.Mocon worm creates its own autorun.inf file instead of modifying the original autorun.inf file. The file created by the worm will be instructed to execute the worm every time that access to the drive is detected. Once the worm has loaded, it will look for similar drives it can infect and then carry out the process again.

The worm also edits the registry. It will create a registry entry so that it can execute every time that Windows is started. It will likewise modify some registry entries to avoid being detected. This security threat will also log keystrokes and will collate the logged info in a log file. This log file will be then sent by the worm to a predetermined URL. To remove the W32.Mocon worm, terminate the cssrs.exe process in the Windows Task Manager. Next, find all files added by the worm and then edit the registry, making sure that all entries added by the malware will be deleted and all entries modified by the malware will be restored.