MORICONS.EXE ???

[Tim]

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

c:\windows\system32\moricons.exe

I did a whois search on the ip and got: http://www.verio.net

Search results for: 206.58.237.248
OrgName: Verio, Inc.
OrgID: VRIO
Address: 8005 South Chester Street
Address: Suite 200
City: Englewood
StateProv: CO
PostalCode: 80112
Country: US
ReferralServer: rwhois://rwhois.verio.net:4321/
NetRange: 206.58.0.0 - 206.58.255.255
CIDR: 206.58.0.0/16
NetName: VRIO-206-058
NetHandle: NET-206-58-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: NS0.VERIO.NET
NameServer: NS1.VERIO.NET
NameServer: NS2.VERIO.NET
NameServer: NS3.VERIO.NET
NameServer: NS4.VERIO.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment:
Comment: ********************************************
Comment: Reassignment information for this block is
Comment: available at rwhois.verio.net port 4321
Comment: ********************************************
RegDate: 2000-01-10
Updated: 2003-08-27

 

[Tim]

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to BT1
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe



Any ideas what this is?

Tim

 

[null]

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to BT1
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe

Any ideas what this is?

I can't find anywhere that moricons.exe is either legit or illegit. It
seems suspicious to me. What's the file date (and other file info)?
Have you considered sending a copy to Symantec for a analysis? And
uploading it for av scanning by other av products? Have you tried the
latest version of Spybot?


Art
http://www.epix.net/~artnpeg

 

[Netuser 58]

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to BT1
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe



Any ideas what this is?

Tim

Where to send files for testing and analysis:

Alwil (Avast): (e-mail address removed)
(ZIP or RAR, password protected)
CAI (IPE, Vet): (e-mail address removed)
Eset (NOD32): (e-mail address removed)
Frisk (F-Prot): (e-mail address removed)
F-Secure: (e-mail address removed)
H+BEDV (AntiVir): (e-mail address removed)
Kaspersky (AVP): (e-mail address removed)
NAI (McAfee): (e-mail address removed)
(in a ZIP file, password "infected")
Norman: (e-mail address removed)
Panda: (e-mail address removed)
Sophos: (e-mail address removed)
Symantec (Norton): (e-mail address removed)
Note: Symantec may send an automated reply which
is not necessarily reliable
Trend: (e-mail address removed)


Netuser58

 

[Tim]

Art,

Location: c:\windows\system32\moricons.exe
Size: 48.8 KB (50,042 bytes)
Size on disk: 52.0 KB (53,248 bytes)
Created, modified amd accessed: Wednesday, August 22, 2001, 9:02:03 PM

Found a link to it in the reg: HKEY_CURRENT_USER\Software\Microsoft\Search
Assistant\ACMru\5603
Name:000
Type: REG_SZ
Data: MORICONS.EXE

I just installed and ran Spybot with no luck. I too searched the net for the
file and found nothing. The only thing that was close was the moricons.dll
which has to do with icons. I guess I will upload it to Norton and see what
happens. Do you think it would be ok to delete the link from the reg to stop
it from starting or maybe just rename it. I don't want to just permanently
deny it with a rule because it will just eat resources trying to get out?

Tim

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to BT1
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe

Any ideas what this is?

I can't find anywhere that moricons.exe is either legit or illegit. It
seems suspicious to me. What's the file date (and other file info)?
Have you considered sending a copy to Symantec for a analysis? And
uploading it for av scanning by other av products? Have you tried the
latest version of Spybot?


Art
http://www.epix.net/~artnpeg

 

[Ionizer]

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

c:\windows\system32\moricons.exe

Try doing a Google search for moricons.DLL for more insights. One page
resulting from that search describes it as a "file of icons." Also this:
http://www.geocities.com/basicsofcomputing/d/dll.htm

Hope that helps,
Ian.

 

[wa0goz]

After I deny the first attempt I get another that says this:

'MORICONS.EXE' from your computer wants to send UDP datagram to BT1
[127.0.0.1], port 3837

c:\windows\system32\moricons.exe

Any ideas what this is?

Tim

Maybe it's a corrupt file. I have moricons.dll in my C:\Windows folder.

Henry

 

[Jan Il]

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

[snip list]

C:\WINDOWS\moricons.dll

I just checked, it is a legitimate file. It is a file with other icons. It
is not a virus. It may be looking for icons. Look at the Other Info on it.

Jan

 

[Tim]

I don't believe this file has anything to do with icons. Yes the
moricons.dll is a icon file. But this file "MORICONS.EXE" is trying to
connect to an ip address over and over again. I did a search on another xp
pro machine for this file and its not there. Search yours if you would like.
I found in my msconfig, a startup link which I unchecked so its not running
now. When running it didn't seem to affect anything but I also never let it
connect.

Tim

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time I use
the back or forward button in Internet Explorer. Norton and Ad-aware has not
detected it. Does anyone know anything about it or how to stop it other then
just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

[snip list]

C:\WINDOWS\moricons.dll

I just checked, it is a legitimate file. It is a file with other icons. It
is not a virus. It may be looking for icons. Look at the Other Info on it.

Jan

 

[null]

Art,

Location: c:\windows\system32\moricons.exe
Size: 48.8 KB (50,042 bytes)
Size on disk: 52.0 KB (53,248 bytes)
Created, modified amd accessed: Wednesday, August 22, 2001, 9:02:03 PM

Hmm. Quite old. Odd that nothing can be found on it except on a
Japanese web site.

Found a link to it in the reg: HKEY_CURRENT_USER\Software\Microsoft\Search
Assistant\ACMru\5603
Name:000
Type: REG_SZ
Data: MORICONS.EXE

I just installed and ran Spybot with no luck. I too searched the net for the
file and found nothing. The only thing that was close was the moricons.dll
which has to do with icons. I guess I will upload it to Norton and see what
happens.

Upload it to single file av scan sites listed here:

http://www.claymania.com/anti-virus.html

Do you think it would be ok to delete the link from the reg to stop
it from starting
Yes.

or maybe just rename it.

You can do that as well ... if necessary in Safe mode.

I don't want to just permanently
deny it with a rule because it will just eat resources trying to get out?

I think you definitely want to pursue it. Someone has posted a list of
antivirus resarch submission sites. I encourage you to get the file
analyzed.


Art
http://www.epix.net/~artnpeg

 

[Tim Downie]

I don't believe this file has anything to do with icons. Yes the
moricons.dll is a icon file. But this file "MORICONS.EXE" is trying to
connect to an ip address over and over again.

I would agree absolutely. It's not on my xp machines and I find it hard to
believe that folk here seem to be confusing it with "moricons.dll", a
perfectly legitimate file. Until proved otherwise, it should be considered
malicious.

Another Tim.

 

[Stuart Gray]

I don't believe this file has anything to do with icons. Yes the
moricons.dll is a icon file. But this file "MORICONS.EXE" is trying to
connect to an ip address over and over again. I did a search on another xp
pro machine for this file and its not there. Search yours if you would like.
I found in my msconfig, a startup link which I unchecked so its not running
now. When running it didn't seem to affect anything but I also never let it
connect.

Tim

I'm running xp pro with Kerio (Tiny's) Personal Firewall. Every few minutes
it detects an outgoing connection alert. It also does this every time

I
use

the back or forward button in Internet Explorer. Norton and Ad-aware

has
not

detected it. Does anyone know anything about it or how to stop it

other
then

just making a rule to deny it.

Here is the info:

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

[snip list]

C:\WINDOWS\moricons.dll

I just checked, it is a legitimate file. It is a file with other icons. It
is not a virus. It may be looking for icons. Look at the Other Info on it.

Jan

I'd be very suspicious of moricons.exe, no such file on a windows
installation. The .dll is valid. Looks like it is a trojan using the
moricons name to help hide it. I would delete it. Try running spybot,
adaware and a anti virus program of your choice against it.

 

[Jan Il]

I don't believe this file has anything to do with icons. Yes the
moricons.dll is a icon file. But this file "MORICONS.EXE" is trying to
connect to an ip address over and over again. I did a search on another xp
pro machine for this file and its not there. Search yours if you would like.
I found in my msconfig, a startup link which I unchecked so its not running
now. When running it didn't seem to affect anything but I also never let it
connect.

What does your firewall say about it? If it's Zone Alarm, you can click on
More Information and it will show you what it is trying to do. Does it tell
you anything? I got confused with the exe and dll in the different posts.
If it is and e.x, then no, it's not the same and does not sound like a
legitimate file.

I find nothing on it the Security files on the Internet. I'll check with my
security sources and see if they know anything about it.

Jan

 

[Rick]

'MORICONS.EXE' from your computer wants to connect to
update.requestlookup.net [206.58.237.248], port 80

c:\windows\system32\moricons.exe

I did a whois search on the ip and got: http://www.verio.net

It looks like "requestlookup.net" is based out of Portland, Oregon. They
get their connectivity from:

network: IP-Network-Block: 206.58.237.0 - 206.58.237.255
network: Org-Name: Sawtooth Technologies LLC.
network: Street-Address: 1104 NW 15th Suite 310
network: City: Portland
network: State: OR
network: Postal-Code: 97209
network: Country-Code: US

Sawtooth Tech (http://www.saw.net/) is an ISP who gets their connectivity
from Verio.

A quick hop over to http://requestlookup.net brings you to what looks
like yet another adware "enhanced search engine" site called Search
Request. They have a FAQ at http://www.requestlookup.net/faq.php which
includes directions on removing their toolbar. Whether or not you can
believe them is another thing entirely. Any company that resorts to this
kind of BS is not trustworthy in my opinion.

Perhaps this will help you sort out your moricons.exe problem. To me, it
sounds like you've still got some ad/spyware on your system somewhere. If
you haven't already done so, I'd recommend running Ad-Aware in Customize
mode and turn on all of the available options (hosts file, IE favorites,
inside archives, etc) and run it again. Then pick up a copy of Spybot S&D
1.3 which just came out and run it as well. The two make an effective
combo that has worked well on all but one system that I've cleaned up
lately. That one exception was a Look2Me parasite that had latched on to
explorer.exe as a .dll and required manual removal.

 

[null]

I have contacted the experts at the AumHa forum below regarding your problem
at
http://aumha.org/forum/viewforum.php?f=31

and the recommendation of Manny Carvalho, MS-MVP & AH-VSOP is as follows:

Begin quote/

It's probably the IP address for somebody using the Vireo network. It does
suggest a malicious piece of code.
be blocked for sure. I would suggest to the poster that they see if they can
determine what kind of software this is by looking at its properties.
Further, they should do all the parasite fighting routines that we normally
suggest here. If nothing shows up then I would change the name of
'MORICONS.EXE' to something else like 'MORICONSOLD.EXE' and see if anything
happened and go on from there./end quote

Better to rename it moricons.old so it cannot execute in any event.


Art
http://www.epix.net/~artnpeg

 

[Jan Il]

I have contacted the experts at the AumHa forum below regarding your problem
at
http://aumha.org/forum/viewforum.php?f=31

and the recommendation of Manny Carvalho, MS-MVP & AH-VSOP is as follows:

Begin quote/

I haven't heard of that one, but, 206.58.237.248 is not a valid web site.

It's probably the IP address for somebody using the Vireo network. It does
suggest a malicious piece of code.

If 'MORICONS.EXE' is not a valid program then the outbound traffic should

be blocked for sure. I would suggest to the poster that they see if they can
determine what kind of software this is by looking at its properties.
Further, they should do all the parasite fighting routines that we normally
suggest here. If nothing shows up then I would change the name of
'MORICONS.EXE' to something else like 'MORICONSOLD.EXE' and see if anything
happened and go on from there./end quote

If you have not already done so, try downloading, updating and running
AdAware in addition to the SpyBot you have already tried, as what one does
not find, the other may.

Then you might try the information provided here. If you have had no success
thus far, it might be worth a try. But, you should also send a copy to one
of the virus sites already provided for you.

hth

Jan

 

[Tim]

Thanks for all the help. I still don't know what the file is or where it
came from. I ran Ad-aware and Spybot with no luck. I also ran Process
Explorer and although it appeared in there, it gave no info about it. I
finally changed the name to moricons.delete and everything seems ok for now.
I unchecked the item in msconfig. I use Kerio (Tiny's) Personal Firewall and
I don't think it will show any information other then incoming and outgoing
attempts. I will try Ad-Aware in Customize mode to see if that will catch
it next. Its kind of weird that I'm the only one that has run across this.
If there are any brave soles out there that would like to dissect this file,
just email me and I'll shoot it your way!

Thanks for all the help so far,

Tim

 

[Tim]

Latest Update. My Norton updated its definitions today and scanned my pc.
The new virus definition found Moricons.delete (formally named moricons.exe)
as a Trojan and automatically deleted it. This is what Norton had to say:

The file C:\WINDOWS\SYSTEM32\moricons.delete is infected with the
Download.Trojan virus. This Download.Trojan virus connects to the Internet
and downloads other Trojan horses or components.

Download.Trojan does the following:
a.. Goes to a specific Web or FTP site that its author created and
attempts to download new Trojans, viruses, worms, or their components.
b.. After the Trojan downloads the files, it executes them.
The Threat Assessment was low but thanks to Kerio (Tinys) Personal Firewall
notifying me of an outgoing attempt I found this virus and stopped it before
Norton knew it existed. Just another reason not to surf the net without the
proper tools.

Thanks for all your help,

Tim