W32/Inmotecd-A

Aliases	Trojan.Win32.Inmota TROJ_INMOTECD.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	10 October 2003 06:50:51 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<variable> = rundl132.exe powrprof.dll,loadcurrentpwrscheme

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
PowerProfile = rundl132 kernel.dll,PowerProfileEnable

and delete them if they exist.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Inmotecd-A is an internet worm which spreads by replying to mail messages on computers using MAPI-based email clients such as Microsoft Outlook or Outlook Express.

The subject of the email is "Re: 0!~" and the attached file is default.htm<SPACES>.pif where <SPACES> is a large number of space characters, aimed at hiding the file's true extension of PIF.

When default.htm<SPACES>.pif is run a message box is displayed with the text "Welcome", "Welcome Microsoft CD Key web site Press OK to open the Web" and Microsoft Internet Explorer is launched with the URL http://omnitechdesign.com/cdkey.html.

The worm copies itself to the Windows and Windows System folders as default.htm<SPACES>.pif, drops the files rundl132.exe and Gate.dll to both the Windows and System folders and sets or creates one of the following registry entries to run rundl132.exe automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
<variable> = rundl132.exe powrprof.dll,loadcurrentpwrscheme

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
PowerProfile = rundl132 kernel.dll,PowerProfileEnable

<variable> is an existing sub-key which the worm changes. The worm changes all sub-keys of HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ whose data contains the string "Rundll".

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Inmotecd-A

Summary

Action

More Information