Aliases: Trojan.Win32.Inmota, Email-Worm.Win32.Inmota, Worm/Inmota.DLL
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 10 Oct 2003
Damage: Low

Characteristics: The W32.Inmota.Worm is mass mailing worm. This worm is capable of spreading across networks. It is known to spread by utilizing one or more of different transmission vectors such as IRC, instant messaging applications, email, P2P or peer to peer network and network shares. This worm is not known to infect files in the compromised machine; however, it may carry out payloads that can include information theft or lowered system security.

More details about W32.Inmota.Worm

This mass mailing worm will copy itself to the compromised computer system once it is executed. It will then drop several DLL and EXE files. This worm will likewise add a value to a registry key in order that it will also run every time that the computer system starts up. It then shows a dialog box with the title ‘Welcome’, the message ‘Welcome Microsoft CD Key web site Press OK to open the Web’ and an ‘OK’ button. In the event that users click on the ‘OK’ button of the pop-up message, the W32.Inmota.Worm will open the Internet Explorer and then attempt to connect to a predefined website assigned by its remote creator. This mass mailing worm is also able to enumerate all the email messages stored in the Microsoft Outlook application and the Outlook Express application.

Once the W32.Inmota.Worm obtains the contacts stored in the Outlook application, it will then reply to each and every email by using MAPI (Messaging Application program Interface). The name of the infected email’s attachment will have .html and some blank spaces followed by the .pif file extension. The W32.Inmota.Worm is usually acquired as a shared file on the local network. The application has the ability to bind itself on unsecured folders available on the network. The installation component of the program is often encrypted on the shell commands of legitimate applications. The installation of the program is initiated once the user executes the corrupted application.