W32.Moks


Aliases: Virus.Win32.HLLW.Mokser, Win32.HLLW.Mokser, W32/Moklo.worm, Win32.HLLW.Generic.70
Variants: W32/Moks-A, Win32/HLLW.Mokser, WORM_MOKS.A, Worm/Moks.A, Win32.HLLW.Mokser.A

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: North America, South America, Asia, Europe, Australia
Removal: Easy
Platform: W32
Discovered: 17 Sep 2003
Damage: Low

Characteristics: The W32.Moks virus is a malware that is capable of copying itself to all files and folders on the C:\ drive on a given month’s 10th day. It is written in Microsoft’s programming language Visual basic and packed with UPX. This boot virus is known to infect the hard disk’s MBR or master boot record. It allegedly acts based on the algorithm utilized for launching Windows when the system is rebooted or switched.

More details about W32.Moks

Upon launching in the compromised machine, the W32.Moks virus will immediately check for the system’s current date. If the date is set to the 10th day of the month, the virus will execute a shell command that can result in the system being disabled. It will also be able to delete all folders and files stored in the C:\ drive. It then copies itself as a .PIF file and adds a value to the registry to allow it to launch with Windows. When infecting, this malware will substitute its malicious code for a program’s code that has control when the system is launched. It is also capable of forcing the system to read the memory and pass control to the virus’ malicious code instead of the default boot program.

This virus can infect a compromised machine’s hard disk in three ways. It can write its code in the MBR’s place, modify the active boot sector’s address in the hard disk’s MBR Disk Partition Table or write the code in the boot disk’s boot sector code. In a majority of infection cases, the virus moves the disk’s MBR or default boot sector which is usually the first section that’s empty. In infection cases where the sector is shorter that the virus, the affected sector will contain the virus code’s first part, while the code’s remainder will be placed in other areas. This virus’ infection can be removed with the use of an antivirus program.