Virus.Win32.HLLW.Mokser, Win32.HLLW.Mokser, W32/Moklo.worm, Win32.HLLW.Generic.70
W32/Moks-A, Win32/HLLW.Mokser, WORM_MOKS.A, Worm/Moks.A, Win32.HLLW.Mokser.A
Category: Computer Virus
North America, South America, Asia, Europe, Australia
17 Sep 2003
The W32.Moks virus is a malware that is capable of copying itself to all files and folders on the C:\ drive on a given month’s 10th day. It is written in Microsoft’s programming language Visual basic and packed with UPX. This boot virus is known to infect the hard disk’s MBR or master boot record. It allegedly acts based on the algorithm utilized for launching Windows when the system is rebooted or switched.
W32.Moks Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W32.Moks from your computer.
More details about W32.Moks
Upon launching in the compromised machine, the W32.Moks virus will immediately check for the system’s current date. If the date is set to the 10th day of the month, the virus will execute a shell command that can result in the system being disabled. It will also be able to delete all folders and files stored in the C:\ drive. It then copies itself as a .PIF file and adds a value to the registry to allow it to launch with Windows. When infecting, this malware will substitute its malicious code for a program’s code that has control when the system is launched. It is also capable of forcing the system to read the memory and pass control to the virus’ malicious code instead of the default boot program.
This virus can infect a compromised machine’s hard disk in three ways. It can write its code in the MBR’s place, modify the active boot sector’s address in the hard disk’s MBR Disk Partition Table or write the code in the boot disk’s boot sector code. In a majority of infection cases, the virus moves the disk’s MBR or default boot sector which is usually the first section that’s empty. In infection cases where the sector is shorter that the virus, the affected sector will contain the virus code’s first part, while the code’s remainder will be placed in other areas. This virus’ infection can be removed with the use of an antivirus program.