Aliases: W32/momib.a
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 Apr 2006
Damage: Medium

Characteristics: The worm W32.Momib.A is capable of deleting files and copying itself to every network and removable drive it can locate in a target computer system. This worm exploits the Autorun feature of Windows by creating its own autorun.inf file that contains instructions to run its code once an infected drive is accessed in the compromised machine.

More details about W32.Momib.A

The security risk W32.Momib.A will create EXE files as copies of itself upon entering a target machine. The worm will then create 2 files with EXE and TXT extensions and will try to delete all folders and file located in Symantec’s virus definition folder (if the system has a Symantec product installed). This malware will likewise create a registry entry that will permit it to execute once Windows is started. It will also set a registry entry that will deactivate the Windows Task Manager to make its detection difficult. It will then proceed to open a .txt file using Notepad. This file allegedly from someone named ‘the piracy killer’ will state that there is pirated software installed in the machine and that all data has been removed.

The W32.Momib.A worm then tries to delete or overwrite files on removable and network drives and will copy a .txt file on drives where it has deleted files. It then begins to spread itself to every network and removable drive it detects in the compromised system and then creates its autorun.inf file. This worm’s removal will require the deactivation of the System Restore feature of Windows. Next, because the worm can disable the Windows Task Manager, users can opt to download applications that can display currently running processes and use that to detect the worm’s file which is momimb.exe. Once the process if found, terminate it. Go to the Registry editor and then delete all the modifications added by the security risk.