Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.
Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.
Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. Primarily Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems.
This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.
Mocbot can also use AOL Instant Messenger to send instant messages using the victim's account. This could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP. Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445. This underscores the danger of allowing unrestricted external instant messaging in a corporate environment, as it often introduces malware directly to users, bypassing perimeter controls.
At the time of this writing, anti-virus detection is not especially broad, with only 1/3 of all anti-virus engines tested reporting the file as malware or flagging it as suspicious. None of them recognize it as a Mocbot variant.