Method of Infection
When executed, Win32/Mocmex.AM drops several files, including a copy of itself, to the %Program Files% directory. It uses randomly generated filenames, for example:
%Program Files%\.inf
%Program Files%\Common Files\Microsoft Shared\vnwpbns.exe
%Program Files%\cfkbyse.inf
Note: %Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be C:\Program Files.
Back to top
Method of Distribution
Via Removable Drives
Win32/Mocmex.AM attempts to spread by copying itself to removable drives. It enumerates drives on the affected machine and copies itself to the root directory of any appropriate removable drive found, using a randomly generated filename and the Hidden attribute set for the executable.
The worm also creates "autorun.inf" with the Hidden attribute set. This file runs the worm executable.
Back to top
Payload
Disables Security Software
Win32/Mocmex.AM lowers the security of an affected machine by disabling executables associated with common security-related applications, and running the worm executable in its place. It does this by creating the following registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<security application executable>\Debugger value = "%Program Files%\Common Files\Microsoft Shared\<worm executable>"
For example, Mocmex may create the registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "C:\Program Files\Common Files\Microsoft Shared\vnwpbns.exe"
Below are a list of executables Mocmex looks for and disables:
360rpt.exe
360Safe.exe
360tray.exe
adam.exe
AgentSvr.exe
AppSvc32.exe
ArSwp.exe
AST.exe
autoruns.exe
avconsol.exe
avgrssvc.exe
AvMonitor.exe
avp.com
avp.exe
CCenter.exe
ccSvcHst.exe
EGHOST.exe
FileDsty.exe
FTCleanerShell.exe
FYFireWall.exe
HijackThis.exe
IceSword.exe
iparmo.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPF.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32.exe
KPFW32X.exe
KPfwSvc.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
mmsk.exe
Navapsvc.exe
Navapw32.exe
nod32.exe
nod32krn.exe
nod32kui.exe
NPFMntor.exe
PFW.exe
PFWLiveUpdate.exe
QHSET.exe
QQDoctor.exe
QQKav.exe
Ras.exe
Rav.exe
RavMon.exe
RavMonD.exe
RavStub.exe
RavTask.exe
RegClean.exe
rfwcfg.exe
rfwmain.exe
RfwMain.exe
rfwsrv.exe
RsAgent.exe
Rsaupd.exe
rstrui.exe
runiep.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
upiea.exe
UpLive.exe
USBCleaner.exe
vsstat.exe
webscanx.exe
WoptiClean.exe
Stops and Disables Services
The worm stops and disables a number of security-related services if they are running on the affected system:
SharedAccess
helpsvc
wscsvc
wuauserv
Modifies System Settings
Win32/Mocmex.AM makes registry modications to enable AutoPlay and to ensure the worm does not show files marked as Hidden.
Downloads and Executes Arbitrary Files
The worm attempts to contact the domain webweb.com to download and execute various files.
Analysis by Taras Malivanchuk
Back to top