MORICONS.EXE trojan/virus?

Archived from groups: comp.security.firewalls (More info?)

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

c:\windows\system32\moricons.exe

I did a whois search on the ip and got: http://www.verio.net

Search results for: 206.58.237.248
OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US
ReferralServer: rwhois://rwhois.verio.net:4321/
NetRange: 206.58.0.0 - 206.58.255.255
CIDR: 206.58.0.0/16
NetName: VRIO-206-058
NetHandle: NET-206-58-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-01-10
Updated: 2003-08-27
6 answers Last reply
More about moricons trojan virus
  1. Archived from groups: comp.security.firewalls (More info?)

    After I deny the first attempt I get another that says this:

    'MORICONS.EXE' from your computer wants to send UDP datagram to ***
    [127.0.0.1], port 3837

    c:\windows\system32\moricons.exe


    Any ideas what this is?

    Tim
  2. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 15 May 2004 14:01:27 +0000, Tim wrote:

    > I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few
    > minutes it detects an outgoing connection alert. It also does this every
    > time I use the back or forward button in Internet Explorer. Norton and
    > Ad-aware has not detected it. Does anyone know anything about it or how
    > to stop it other then just making a rule to deny it.
    >
    > Here is the info:
    >
    > 'MORICONS.EXE' from your computer wants to connect to
    > update.requestlookup.net [206.58.237.248], port 80
    >
    > c:\windows\system32\moricons.exe
    >
    I don't know what that file is, but the correct name for the file that it
    is impersonating is "moricons.dll". Have you tried renaming the exe to
    something else ( like moricons.suspect) so that it doesn't get executed?
    If it is a required file, you should get some kind of error message after
    renaming and rebooting.
  3. Archived from groups: comp.security.firewalls (More info?)

    Here's the info on the file:
    Location: c:\windows\system32\moricons.exe
    Size: 48.8 KB (50,042 bytes)
    Size on disk: 52.0 KB (53,248 bytes)
    Created, modified and accessed: Wednesday, August 22, 2001, 9:02:03 PM

    Found a link to it in the reg:
    HKEY_CURRENT_USER\Software\Microsoft\SearchAssistant\ACMru\5603
    Name:000
    Type: REG_SZ
    Data: MORICONS.EXE


    I'll try renaming it and if that works I'll remove the link in the reg and
    then try to delete it. I would really like to know where it came from
    though.


    > I don't know what that file is, but the correct name for the file that it
    > is impersonating is "moricons.dll". Have you tried renaming the exe to
    > something else ( like moricons.suspect) so that it doesn't get executed?
    > If it is a required file, you should get some kind of error message after
    > renaming and rebooting.
  4. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 15 May 2004 16:19:44 GMT, "Tim"
    <Tims-News123@carolina.rr.comRemove#s> wrote:

    >Here's the info on the file:
    >Location: c:\windows\system32\moricons.exe
    >Size: 48.8 KB (50,042 bytes)
    >Size on disk: 52.0 KB (53,248 bytes)
    >Created, modified and accessed: Wednesday, August 22, 2001, 9:02:03 PM
    >
    >Found a link to it in the reg:
    >HKEY_CURRENT_USER\Software\Microsoft\SearchAssistant\ACMru\5603
    >Name:000
    >Type: REG_SZ
    >Data: MORICONS.EXE
    >
    >
    >I'll try renaming it and if that works I'll remove the link in the reg and
    >then try to delete it. I would really like to know where it came from
    >though.

    Tim,

    The "...\ACMRu\..." registry entries are from Search Assistant
    history.

    You migh want to get Process Explorer (free) from
    <http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. Provides
    way more information than Task Manager, including what modules are
    called by Moricons.Exe, and who distributed each module.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  5. Archived from groups: comp.security.firewalls (More info?)

    [This followup was posted to comp.security.firewalls and a copy was sent
    to the cited author.]

    In article <Xoppc.35258$V_.1468388@twister.southeast.rr.com>, Tims-News123
    @carolina.rr.comRemove#s says...
    > I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
    > it detects an outgoing connection alert. It also does this every time I use
    > the back or forward button in Internet Explorer. Norton and Ad-aware has not
    > detected it. Does anyone know anything about it or how to stop it other then
    > just making a rule to deny it.

    Try Spybot (http://www.safer-networking.org/). No single program finds
    everything. Also, for AdAware, did you go through the options to force it
    to scan everything? By default, it only scans the registry, cookies, and
    windows directories. Also, make certain your Norton and AdAware
    definitions are up to date.

    A google search only found two usable links. One for an ancient
    newsgroup post:
    http://groups.google.com/groups?q=moricons.exe&hl=en&lr=&ie=UTF-8
    &safe=off&selm=jcmorris.703172656%40mwunix&rnum=3
    The other in Japanese:
    http://www.sotec.co.jp/onlineclub/waza/

    --
    If there is a no_junk in my address, please REMOVE it before replying!
    All junk mail senders will be prosecuted to the fullest extent of the
    law!!
    http://home.att.net/~andyross
  6. Archived from groups: comp.security.firewalls (More info?)

    Latest Update. My Norton updated its definitions today and scanned my pc.
    The new virus definition found Moricons.delete (formally named moricons.exe)
    as a Trojan and automatically deleted it. This is what Norton had to say:

    The file C:\WINDOWS\SYSTEM32\moricons.delete is infected with the
    Download.Trojan virus. This Download.Trojan virus connects to the Internet
    and downloads other Trojan horses or components.

    Download.Trojan does the following:
    a.. Goes to a specific Web or FTP site that its author created and
    attempts to download new Trojans, viruses, worms, or their components.
    b.. After the Trojan downloads the files, it executes them.
    The Threat Assessment was low but thanks to Kerio (Tinys) Personal Firewall
    notifying me of an outgoing attempt I found this virus and stopped it before
    Norton knew it existed. Just another reason not to surf the net without the
    proper tools.

    Thanks for all your help,

    Tim
Ask a new question

Read More

Firewalls Networking