Man oh man it's been a rough couple of days. A combination of the above worms has been wreaking havoc on our network, & ol' t-ready's had to pull some long days in the process. The very day that MocBot was defined, before they'd actually released the anti-virus updates later in the day, we already had 10+ infections. The newer MocBot communicates over the same port as the earlier Esbot (TCP 18067), but instead of simply executing a bunch of services & waiting for instructions, MocBot really starts screwing with your PC. It loads up a ton of services, & kills your network shares, for instance.

The strange thing, to me, at least, is that though the Symantec removal tool took care of most of the processes, & said that it removed Esbot from the system, it kept coming back. According to Symantec's page, Esbot.A executes as a service having to do with mouse buttons, movement, or synchronization, however, none of the listed services were present in the infected systems, even those which the removal tool had said that it had cleaned. The only reason I was able to clear up the infections was because I looked in the services list for anything having to do with mouse button monitoring. What I found was a service called "SCVse button monitoring service," which again, wasn't listed at any of the anti-virus sites, but had the same service description as the Esbot.A services. Once I disabled that service, & deleted its corresponding reg key, the system came up clean.

Most of the MocBot infections I encountered already had this variation of Esbot running when I began my clean-up procedures. I think that perhaps the Esbot downloaded the MocBot & installed it, which lead to more & more infections. If you go to Google & search for the "SCVse button monitoring service," you won't even get any results, so if you're having difficulty getting rid of one or both of these bots on a system, check & see if that service is indeed installed. Thank gawd for our Snort box, cuz finding the infected hosts was easy once we knew the port to look for.