Backdoor.Mosuc

SUMMARY

Backdoor.Mosuc is a Trojan horse that is similar to Backdoor.SubSeven, Netbus or Back Orifice. It enables a hacker to access the computer over the Internet without your knowledge.

Behavior

Symptoms

Transmission

Protection

• Virus Definitions (Intelligent Updater) October 3, 2000

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

When the server portion of Backdoor.Mosuc is running on a computer, it is possible for the hacker who is accessing the computer remotely to do any of the following:

• Terminate dial-up connections
• Browse files and folders on your computer
• Create or remove folders
• Restart the computer
• Rename or move files
• Minimize windows
• Open the CD-ROM drive
• Hide or show the taskbar
• Set the cursor to random positions
• Cause the computer to crash
• Go to a specific URL
• Display pop-up messages and dialog boxes
• Capture real-time screen information
• Open and close programs

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove Backdoor.Mosuc, you must follow these procedures:

NOTE: These instructions are for Windows 95/98/Me. If you are using Windows 2000/XP, skip to the section Removal under Windows 2000/XP near the end of this document.

1. Create or obtain a Startup disk
2. Ensure that you have the most recent virus definitions
3. Restart the computer to a command prompt
4. Run the DOS scanner and delete files detected as Backdoor.Mosuc
5. Restart the computer in Safe mode.
6. Edit the registry and remove entries that were made by the Trojan
7. Edit the System.ini file and remove entries that were made by the Trojan

For detailed instructions, read the sections that follow.

1. Create or obtain a Startup disk
Before you begin the removal process, you should create or obtain a Windows 98 Startup disk. If you are running Windows 95, then you may be able to obtain one from a local computer store. To create one on a Windows 98 computer, follow these steps:

CAUTION: This must be done on an uninfected computer. Do not do this on the computer that is infected with the virus.

1. Click Start, point to Settings, and click Control Panel.
2. Double-click Add/Remove Programs.
3. Click the Startup Disk tab.
4. Place a new, formatted floppy disk in the floppy disk drive.
5. Click Create Disk, and then follow the prompts.

2. Ensure that you have the most recent virus definitions
Norton AntiVirus must be installed, and you must have virus definitions dated October 25, 2000, or later. If your virus definitions are up to date, then proceed to the next section. If they are not up to date, either run LiveUpdate or download the definitions from the Symantec Security Response Web site by following the instructions in the document How to update virus definition files using the Intelligent Updater.

3. Restart the computer to a command prompt
You must restart the computer to a command prompt. Follow the steps for your version of Windows:

• Windows 95
  1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  2. Click Restart, and then click Yes. Windows shuts down, and the computer restarts.
  3. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
  4. Press the number corresponding to "Command Prompt only," and then press Enter.
• Windows 98
  1. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  2. Click Restart, and then click OK. Windows shuts down, and the computer restarts.
  3. As the computer restarts, press and hold down the Ctrl key until the Windows 98 Startup Menu appears.
     
     NOTE: On some computers, a keyboard or other error may appear during restart as you hold down the Ctrl key. If so, then follow the prompts to press a key to continue (for example, the message may prompt you to press the Esc key), and then immediately press and hold down the Ctrl key again.
     
  4. Press the number corresponding to "Command Prompt only," and then press Enter.

4. Delete the infected files
Follow these steps to delete the infected files:

1. Type dir /s /b avdx.exe and then press Enter. This displays the path to the Norton AntiVirus DOS scanner. (If NAV is installed to a different drive, then change to the root of that drive first.)
2. Write down the path as shown, for example, Progra~1Norton~3.
3. Using the folder names that you just wrote down, change to the folder where Navdx.exe is installed. For example, type the following entries and press Enter after each one:
   
   cd
   cd progra~1
   cd norton~3
   
   NOTE: Make sure that you modify the commands to reflect the DOS folder names that you wrote down in step 2.
   
4. Type the following, and then press Enter:
   
   navdx /a /doallfiles /prompt
   
   The Norton AntiVirus DOS scanner starts. Follow the prompts. If any files are detected as Backdoor.Mosuc, first write down the file names, and then choose Delete. Allow the scan to finish, and then go on to the next section.
   
   CAUTION: This could take several hours or more on some computers. Do not attempt to stop the scan once it has started.
   
   When the scan has finished, go on to the next section.

5. Restart the computer in Safe mode
For instructions on how to do this, read the document How to restart Windows 9x or Windows Me in Safe mode. Once Windows is in Safe mode, go on to the next section.

6. Edit the registry
This Trojan can be programmed to load from several locations in the Windows registry. Because this Trojan does not use a fixed file name, you must check all of these locations and look for a line that refers to any of the file names that were detected as Backdoor.Mosuc. Follow these steps:

CAUTION: We strongly recommend that you back up the system registry before you make any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified. Please see the document How to back up the Windows registry before you proceed.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate in turn to each of the following keys:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
   
   For each one, select the key in the left pane and then look in the right pane. Examine the text in both Name and Data columns. If any refer to the file names that were detected as Backdoor.Mosuc, click on the value in the Name column, press Delete, and then click Yes to confirm.
4. Click Registry, and then click Exit.

7. Edit the System.ini file
Follow these steps to edit the System.ini file and remove entries that were made by the Trojan:

1. Click Start, and click Run.
2. Type the following, and then click OK.
   
   edit c:windowssystem.ini
   
   The MS-DOS Editor opens.
   
   NOTE: If Windows is installed in a different location, make the appropriate path substitution.
   
3. In the [boot] section at the beginning of the file, look for the line that begins with:
   
   shell=Explorer.exe
   
4. Look for an additional item that has been added to the line. It may appear similar to the following:
   
   shell=Explorer.exe Zip.exe
   
5. Remove the reference to Zip.exe. When you are finished, the line must appear as follows:
   
   shell=Explorer.exe
   
6. Click File, and then click Save.
7. Click File, and then click Exit.

Removal under Windows 2000/XP
The information in this section is for users of Windows 2000/XP only.

To date there have been several reports of infections occurring on Windows XP-based computers. (There are no reported Windows 2000 infections, but removal would be the same.)

Because you cannot start these operating systems in MS-DOS, you must perform the removal in Safe mode.

1. Make sure that your virus definitions are dated October 25, 2000, or later. If they are not, either run LiveUpdate or download the definitions from the Symantec Security Response Web site by following the instructions in the document How to update virus definition files using the Intelligent Updater.
2. Restart the computer in Safe mode. For instructions, read the document for your operating system.
   • How to start Windows XP in Safe Mode.
   • How to start Windows 2000 in Safe mode.
3. Run a full system scan. If any files are detected as Backdoor.Mosuc, first write down the file names, and then click Delete.
4. Remove the registry entries that the Trojan added by following the instructions in the previous section, 6. Edit the registry.
5. Restart the computer.