inetman.exe - Dangerous
inetman.exe
Manual removal instructions:
Antivirus Report of inetman.exe:
inetman.exe
W32.HLLW.Donk.O is a worm that spreads through open network shares and attempts to exploit the Microsoft DCOM RPC vulnerability.
Creates copies of itself as:
%System%\inetman.exe
%System%\cool.exe
Adds the value:
"Microsoft System Checkup"="inetman.exe"
"NT Logging Service"= "syslog32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds the value: "Microsoft System Checkup"="inetman.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Generates a random IP address.
Attempts to exploit the DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026) by sending data on TCP port 135 to the generated IP address.
Creates a hidden, remote shell process that listens on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Ends the processes of many firewall and antivirus programs.
Attempts to copy itself to the administrative shares using different user names and passwords.
If successful, the worm will copy itself to the remote systems.
Attempts to download and execute the following files from a series of predetermined Web servers:
- %Temp%\upd32a.exe
- %Temp%\lpd32b.exe
- %System%\navinst.exe
- %Temp%\file.my3
Connects to the predetermined IRC servers and awaits commands from an attacker.
The backdoor provides the attacker with the following functions:
- Flood a specified host
- Download files from the attacker
- Execute files
Use RegRun Startup Optimizer to automatically remove it from startup.
| inetman.exe | Malware |
| inetman.exe | Dangerous |
| inetman.exe | High Risk |
Creates copies of itself as:
%System%\inetman.exe
%System%\cool.exe
Adds the value:
"Microsoft System Checkup"="inetman.exe"
"NT Logging Service"= "syslog32.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Adds the value: "Microsoft System Checkup"="inetman.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Generates a random IP address.
Attempts to exploit the DCOM RPC vulnerability (as described in Microsoft Security Bulletin MS03-026) by sending data on TCP port 135 to the generated IP address.
Creates a hidden, remote shell process that listens on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Ends the processes of many firewall and antivirus programs.
Attempts to copy itself to the administrative shares using different user names and passwords.
If successful, the worm will copy itself to the remote systems.
Attempts to download and execute the following files from a series of predetermined Web servers:
- %Temp%\upd32a.exe
- %Temp%\lpd32b.exe
- %System%\navinst.exe
- %Temp%\file.my3
Connects to the predetermined IRC servers and awaits commands from an attacker.
The backdoor provides the attacker with the following functions:
- Flood a specified host
- Download files from the attacker
- Execute files
Use RegRun Startup Optimizer to automatically remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.