Aliases: Email-Worm.Win32.Mota.a, I-Worm.MoTa.a, W32/Mota.worm, Win32.HLLM.Mota, Win32/[email protected] 
Variants: Win32:MuTa, I-Worm/Mota.B, Trojan.Mobotu 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 03 Jul 2004
Damage: Medium

Characteristics: Worms are dangerous programs that are capable of replicating by themselves across networks, IRC, emails or P2P applications. The W32.Mota.A is a worm that specifically spreads via sending its malicious code to email addresses it finds in the target system’s Windows address book. This worm uses its very own SMTP or simple mail transfer protocol engine for sending email addresses with infected attachments. It is not capable of infecting files and the mobutu.a string can be found within its code.

More details about W32.Mota.A

Upon a successful launch in the victim machine, the W32.Mota.A worm will create several files with the extensions .dll, .dat and .exe. It will also add a specific value to one of the registry keys that will permit the worm to run every time that Windows is started. It then tries to establish a connection to one of its predetermined IRC servers on the 6667 TCP port. These addresses have the .org string. The worm then commences to collate email addresses it locates in the address book of Windows from files with the strings .htm, .txt, .dbx and .html. The infected email that will be sent by the worm will have a spoofed sender’s address followed by top level domain names such as .de, .com, .be, .it, .org, .edu and .fr.

The email sent by the W32.Mota.A worm will also have a subject and body that are not predefined and will have an attachment with the file extension .pif, .scr or .zip. This attachment will contain the worm’s code that can infect other machines when downloaded and installed by a user on his machine. Get rid of this worm’s infection by going to the Windows Task Manager and then terminating its running process. Next, search the system for files that are associated with the worm and then delete them. Proceed to edit the registry and remove the autostart values added by W32.Mota.A malware.