MORICONS.EXE trojan/virus?

[Tim]

Archived from groups: comp.security.firewalls (More info?)

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

c:\windows\system32\moricons.exe

I did a whois search on the ip and got: http://www.verio.net

Search results for: 206.58.237.248
OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US
ReferralServer: rwhois://rwhois.verio.net:4321/
NetRange: 206.58.0.0 - 206.58.255.255
CIDR: 206.58.0.0/16
NetName: VRIO-206-058
NetHandle: NET-206-58-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-01-10
Updated: 2003-08-27

 

[Tim]

Archived from groups: comp.security.firewalls (More info?)

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to ***
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe



Any ideas what this is?

Tim

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sat, 15 May 2004 14:01:27 +0000, Tim wrote:

> I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few
> minutes it detects an outgoing connection alert. It also does this every
> time I use the back or forward button in Internet Explorer. Norton and
> Ad-aware has not detected it. Does anyone know anything about it or how
> to stop it other then just making a rule to deny it.
>
> Here is the info:
>
> 'MORICONS.EXE' from your computer wants to connect to
> update.requestlookup.net [206.58.237.248], port 80
>
> c:\windows\system32\moricons.exe
>
I don't know what that file is, but the correct name for the file that it
is impersonating is "moricons.dll". Have you tried renaming the exe to
something else ( like moricons.suspect) so that it doesn't get executed?
If it is a required file, you should get some kind of error message after
renaming and rebooting.

 

[Tim]

Archived from groups: comp.security.firewalls (More info?)

Here's the info on the file:
Location: c:\windows\system32\moricons.exe
Size: 48.8 KB (50,042 bytes)
Size on disk: 52.0 KB (53,248 bytes)
Created, modified and accessed: Wednesday, August 22, 2001, 9:02:03 PM

Found a link to it in the reg:
HKEY_CURRENT_USER\Software\Microsoft\SearchAssistant\ACMru\5603
Name:000
Type: REG_SZ
Data: MORICONS.EXE


I'll try renaming it and if that works I'll remove the link in the reg and
then try to delete it. I would really like to know where it came from
though.


> I don't know what that file is, but the correct name for the file that it
> is impersonating is "moricons.dll". Have you tried renaming the exe to
> something else ( like moricons.suspect) so that it doesn't get executed?
> If it is a required file, you should get some kind of error message after
> renaming and rebooting.

 

[Chuck]

Archived from groups: comp.security.firewalls (More info?)

On Sat, 15 May 2004 16:19:44 GMT, "Tim"
<Tims-News123@carolina.rr.comRemove#s> wrote:

>Here's the info on the file:
>Location: c:\windows\system32\moricons.exe
>Size: 48.8 KB (50,042 bytes)
>Size on disk: 52.0 KB (53,248 bytes)
>Created, modified and accessed: Wednesday, August 22, 2001, 9:02:03 PM
>
>Found a link to it in the reg:
>HKEY_CURRENT_USER\Software\Microsoft\SearchAssistant\ACMru\5603
>Name:000
>Type: REG_SZ
>Data: MORICONS.EXE
>
>
>I'll try renaming it and if that works I'll remove the link in the reg and
>then try to delete it. I would really like to know where it came from
>though.

Tim,

The "...\ACMRu\..." registry entries are from Search Assistant
history.

You migh want to get Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides
way more information than Task Manager, including what modules are
called by Moricons.Exe, and who distributed each module.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

[This followup was posted to comp.security.firewalls and a copy was sent
to the cited author.]

In article <Xoppc.35258$V_.1468388@twister.southeast.rr.com>, Tims-News123
@carolina.rr.comRemove#s says...
> I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
> it detects an outgoing connection alert. It also does this every time I use
> the back or forward button in Internet Explorer. Norton and Ad-aware has not
> detected it. Does anyone know anything about it or how to stop it other then
> just making a rule to deny it.

Try Spybot (http://www.safer-networking.org/). No single program finds
everything. Also, for AdAware, did you go through the options to force it
to scan everything? By default, it only scans the registry, cookies, and
windows directories. Also, make certain your Norton and AdAware
definitions are up to date.

A google search only found two usable links. One for an ancient
newsgroup post:
http://groups.google.com/groups?q=moricons.exe&hl=en&lr=&ie=UTF-8
&safe=off&selm=jcmorris.703172656%40mwunix&rnum=3
The other in Japanese:
http://www.sotec.co.jp/onlineclub/waza/

--
If there is a no_junk in my address, please REMOVE it before replying!
All junk mail senders will be prosecuted to the fullest extent of the
law!!
http://home.att.net/~andyross

 

[Tim]

Archived from groups: comp.security.firewalls (More info?)

Latest Update. My Norton updated its definitions today and scanned my pc.
The new virus definition found Moricons.delete (formally named moricons.exe)
as a Trojan and automatically deleted it. This is what Norton had to say:

The file C:\WINDOWS\SYSTEM32\moricons.delete is infected with the
Download.Trojan virus. This Download.Trojan virus connects to the Internet
and downloads other Trojan horses or components.

Download.Trojan does the following:
a.. Goes to a specific Web or FTP site that its author created and
attempts to download new Trojans, viruses, worms, or their components.
b.. After the Trojan downloads the files, it executes them.
The Threat Assessment was low but thanks to Kerio (Tinys) Personal Firewall
notifying me of an outgoing attempt I found this virus and stopped it before
Norton knew it existed. Just another reason not to surf the net without the
proper tools.

Thanks for all your help,

Tim