April 7, 2008

W32.Momib.A - Worm

Worm W32.Momib.A spreads by coping itself to all removable and network drives. This worm may remove files from removable and network drives .

The worm attempts to remove files and folders inside Symantec's virus definition folder. Symantec stores latest Virus definitions in this folder . Symantec Anti-Virus will be incapable of detecting viruses if files inside this folder is removed.

C:\Program Files\Common Files\Symantec Shared\VirusDefs

This worm may create and open a file named "msg.txt" inside 'C:\'. The file contains the following message:

*** I M P O R T A N T M E S S A G E ***
------------------------------------------
ALL DATA [REMOVED] on your computer
------------------ SORRY ------------------
* tHe pIrAcY kIllEr *



The worm creates a file named autorun.inf on all network shares and removable drives.
[DRIVE LETTER]:\autorun.inf

Content of [DRIVE LETTER]:\autorun.inf

[AutoRun]
open=mobimb.exe
shell\open\Command=mobimb.exe
shell\open\Default=1
shell\explore\Command=mobimb.exe


Systems Affected: All Windows.

How to remove worm W32.Momib.A ?



Source: Symantec

No comments: