Backdoor.Win32.Mokes

Detect Date 08/20/2015
Class Backdoor
Platform Win32
Description

Malware in this family (which is also known as “Smoke loader”) is distributed by criminals with the help of the Trojan.Win32.Cutwail spam bot. When run on the user’s computer, malware in the Backdoor.Win32.Mokes family downloads other malware (such as Trojan-Ransom.Win32.Cryptodef, also known as Cryptowall). Smoke loader is notable for its modular architecture, which enables the malware to gain additional features.

These modules make it possible for the malware to perform the following actions on an infected computer:

  • Spoof the Hosts file (located in the %SystemRoot%system32driversetchosts folder of the infected computer).
  • Steal user passwords.
  • Intercept data entered by the user in a web browser.
  • Install shell code on the user’s computer.

Geographical distribution of attacks by the Backdoor.Win32.Mokes family

mokesgeoeng

Geographical distribution of detections during the period from 24 July 2014 to 27 July 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 USA 10.57
2 India 6.49
3 Russian Federation 6.17
4 Vietnam 5.24
5 Algeria 4.85
6 United Kingdom 4.32
7 Kazakhstan 4.00
8 Australia 2.75
9 Germany 2.70
10 Brazil 2.36

* Percentage of all unique Kaspersky Lab users attacked by this malware