Momma-B Trojan

Name: Troj/Momma-B
Type: Trojan
Date: 21 May 2002

At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.

Description:

Troj/Momma-B is a backdoor Trojan and denial-of service attack tool. It allows a remote user access to the machine via IRC channels and allows them to carry out denial-of-service attacks on the local network.

Troj/Momma-B creates a hidden folder named \INF\internet\ in the Windows folder. It then installs the files command.exe, D3dxfo.dll, icmpfilter.dll, inf.exe, mirc.ini, remote.ini, Rvspsp.dll and vbejat32.dll along with the legitimate files mswinsck.ocx and wsminsck.ocx. It also creates the registry entry

HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\InternetExplorer =<Windows folder>\INF\internet\inf.exe

so that the Trojan is run automatically each time Windows is started.

When the Trojan runs it tries to connect to an IRC server and join a specific channel. It then runs in the background as a server process, listening on the IRC channel for commands from an attacker. When it receives a command it will perform the specified action, such as executing a malicious IRC script.

Troj/Momma-B uses its own IRC client program so it can work on computers that do not have other IRC client software installed.

Read the analysis at

www.sophos.com/virusinfo/analyses/trojmommab.html