Troj/Momma-B

Please read the instructions for removing Trojans.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
InternetExplorer = <Windows folder>\INF\internet\inf.exe

and delete it if it exists.

Close the registry editor.

Troj/Momma-B is a backdoor Trojan and denial-of-service attack tool. It allows a remote user access to the machine via IRC channels and allows them to carry out denial-of-service attacks on the local network.

Troj/Momma-B creates a hidden folder named \INF\internet\ in the Windows folder. It then installs the files command.exe, D3dxfo.dll, icmpfilter.dll, inf.exe, mirc.ini, remote.ini, Rvspsp.dll and vbejat32.dll along with the legitimate files mswinsck.ocx and wsminsck.ocx. It also creates the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
InternetExplorer = <Windows folder>\INF\internet\inf.exe

so that the Trojan is run automatically each time Windows is started.

When the Trojan runs it tries to connect to an IRC server and join a specific channel. It then runs in the background as a server process, listening on the IRC channel for commands from an attacker. When it receives a command it will perform the specified action, such as executing a malicious IRC script.

Troj/Momma-B uses its own IRC client program so it can work on computers that do not have other IRC client software installed.