1. /
  2. Security Response/
  3. W32.Mockbot.A.Worm

W32.Mockbot.A.Worm

Risk Level 1: Very Low

Discovered:
February 25, 2004
Updated:
February 13, 2007 12:18:57 PM
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP


W32.Mockbot.A.Worm is a worm that spreads using computers infected with the W32.Mydoom.A@mm, and Backdoor.Optix worms. To spread itself, the worm can also exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), as well as a vulnerability in the DameWare Mini Remote Control program.

W32.Mockbot.A.Worm is written in C and is packed with UPX.



The list of monitored processes:
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • AckWin32.EXE
  • ACKWIN32.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • agentw.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTIVIRUS.EXE
  • ANTS.EXE
  • APIMONITOR.EXE
  • APLICA32.EXE
  • apvxdwin.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AutoTrace.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • Avgctrl.EXE
  • AVGCTRL.EXE
  • AVGNT.EXE
  • AvgServ.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGUARD.EXE
  • AVGW.EXE
  • avkpop.EXE
  • AvkServ.EXE
  • avkservice.EXE
  • avkwctl9.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • avpm.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • Avsched32.EXE
  • AvSynMgr.AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD32.EXE
  • AVWUPSRV.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • BD_PROFESSIONAL.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • blackd.EXE
  • BLACKD.EXE
  • BlackICE.EXE
  • BLACKICE.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • bot.exe
  • BS120.EXE
  • ccApp.EXE
  • ccEvtMgr.EXE
  • ccPxySvc.EXE
  • CDP.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • Claw95.EXE
  • Claw95cf.EXE
  • CLAW95CF.EXE
  • CLEAN.EXE
  • cleaner.EXE
  • CLEANER.EXE
  • cleaner3.EXE
  • CLEANER3.EXE
  • CLEANPC.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • cpd.EXE
  • CPD.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CTRL.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • dcomx.exe
  • defalert.EXE
  • defscangui.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • dllhost.exe
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • enbiei.exe
  • ENT.EXE
  • ESAFE.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ESPWATCH.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXE.AVXW.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • fameh32.EXE
  • FAST.EXE
  • fch32.EXE
  • fih32.EXE
  • FINDVIRU.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • fnrb32.EXE
  • FPROT.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FRW.EXE
  • fsaa.EXE
  • FSAV.EXE
  • fsav32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • fsgk32.EXE
  • fsm32.EXE
  • fsma32.EXE
  • fsmb32.EXE
  • f-stopw.EXE
  • F-STOPW.EXE
  • gbmenu.EXE
  • GBMENU.EXE
  • gbpoll.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HTLOG.EXE
  • HWPE.EXE
  • iamapp.EXE
  • IAMAPP.EXE
  • iamserv.EXE
  • IAMSERV.EXE
  • IAMSTATS.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • index.exe
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISRV95.EXE
  • JAMMER.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KILLPROCESSSETUP161.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • lockdown2000.EXE
  • LOCKDOWN2000.EXE
  • lolx.exe
  • LOOKOUT.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • mmc.exe
  • msblast.exe
  • mslaugh.exe
  • mspatch.exe
  • Navw32.EXE
  • NeoWatchLog.EXE
  • notstart.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • npscheck.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • ntrtscan.EXE
  • NTVDM.EXE
  • NTXconfig.EXE
  • Nui.EXE
  • Nupgrade.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • nvsvc32.EXE
  • NWINST4.EXE
  • NWService.EXE
  • NWTOOL16.EXE
  • OSTRONET.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • PAVCL.EXE
  • pavproxy.EXE
  • PAVPROXY.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • pccntmon.EXE
  • pccwin97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • pcscan.EXE
  • PDSETUP.EXE
  • penis32.exe
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • rapapp.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • REALMON.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • root32.exe
  • rpc.exe
  • rpctest.exe
  • RRGUARD.EXE
  • RSHELL.EXE
  • rtvscan.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • SAFEWEB.EXE
  • sbserv.EXE
  • SBSERV.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • scvhost.exe
  • SD.EXE
  • SERV95.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SMC.EXE
  • SOFI.EXE
  • SPF.EXE
  • Sphinx.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • ST2.EXE
  • SUPFTRL.EXE
  • SUPPORTER5.EXE
  • SWEEP95.EXE
  • SweepNet.SWEEPSRV.SYS.SWNETSUP.EXE
  • SymProxySvc.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TDS-3.EXE
  • teekids.exe
  • TFAK.EXE
  • TFAK5.EXE
  • tftpd.exe
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • UNDOBOOT.EXE
  • UPDATE.EXE
  • vbcmserv.EXE
  • VBCMSERV.EXE
  • VbCons.EXE
  • VBCONS.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • Vet95.EXE
  • VET95.EXE
  • VetTray.EXE
  • VETTRAY.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • vshwin32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • vsmon.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • winppr32.exe
  • WINRECON.EXE
  • WNT.EXE
  • worm.exe
  • WrAdmin.EXE
  • WRADMIN.EXE
  • WrCtrl.EXE
  • WRCTRL.EXE
  • WSBGATE.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • zapro.EXE
  • ZAPRO.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • zonealarm.EXE
  • ZONEALARM.EXE


Antivirus Protection Dates

  • Initial Rapid Release version February 26, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version February 26, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date February 27, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium

Distribution

  • Distribution Level: Medium
Writeup By: John Canavan

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver