Aliases: WORM_Atomicks.a, Win32/Hotatom.A, Win32.Hotatom.A, W32.Hotmatom
Variants: W32/Hotmatom.worm, Win32/Hotatom!Worm, W32/Melo-B, Worm.Win32.VB.cd

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, Europe
Removal: Easy
Platform: W32
Discovered: 07 Mar 2006
Damage: Medium

Characteristics: This particular Worm has been reported by various computer experts to make use of the email messaging and Instant Messaging services of the operating system to spread its codes to other computers. It has been observed by some antivirus developers that the W32.Hotmatom carries a dangerous payload which consists mainly of deleting various files from the host machine. This malware which is launched as a 32-bit executable file was designed using the Visual Basic language.

More details about W32.Hotmatom

Launching the W32.Hotmatom into a vulnerable computer system will allow it to copy itself into the operating system's directory using an executable file format. It will proceed to create new registry key values that are intended not only to gain automatic loading on system startup but also to control the behavior or totally disable the Windows Task Manager tool. This routine is presumed to be done by the W32.Hotmatom prevent more advanced computer users from directly terminating its background processes. It will proceed to delete all files that are found in the root directory of the main hard drive and the floppy disk. The W32.Hotmatom however does not have the functionality of deleting files that have a read only or hidden attribute.

Another limitation that was observed with the W32.Hotmatom malware is that it cannot go beyond the root directory. This means that any files contained in subfolders will not be deleted from an infected computer system. A compromised machine will display a message box from the W32.Hotmatom which is titled Windows and has the "Error de datos" message body. It will attempt to establish communication with other computers in the network via the net command. The W32.Hotmatom will automatically add a malicious link to the end of every email messages if the website of a specific Web mail host is visited.