W32/Datom-A

Please read the instructions for removing worms.

Disconnecting from the network

Before disinfection, disconnect all infected computers from the network to stop the worm spreading. Follow the above instructions for removing worms, remembering to scan computers again after disinfection to make sure they're clean.

At the taskbar, select Start|Run. Type 'Sysedit' and press Return. Bring Win.ini to the front. Search for the text "msvxd.exe" and delete it if it exists. Save the file.

Windows NT/2000

In Windows NT/2000 you will also need to delete the following registry key. The removal of this key is optional in Windows 95/98/Me.

At the taskbar, select Start|Run. Type 'Regedit' and press Return. The registry editor will open.

Before you edit the registry, you should make a backup. In the Registry menu, click 'Export Registry File'. In the 'Export range' panel, select 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSVXD

and delete it if it exists. Close the registry editor.

After disinfection

Reboot your computer.

When you are sure the network is clean, you can reconnect to the network the computers you have disinfected.

W32/Datom-A is a Win32 worm which uses Windows network shares to spread. The worm consists of three files: msvxd.exe, msvxd16.dll and msvxd32.dll. Msvxd.exe is the executable component of the worm, which loads the two DLL files.

Msvxd32.dll contains the code to spread the worm. It enumerates network shares and attempts to copy itself onto remote machines. If the copying is successful the worm attempts to change the win.ini file so that the worm file msvxd.exe is run on Windows startup.

W32/Datom-A changes the registry value

\HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSVXD

so that the worm file msvxd.exe is run on Windows startup.