Threat Description



Aliases: UrlSpoof.E, TrojanSpy.HTML.UrlSpoof.e, TrojanDropper.VBS.Inor.z
Category: Malware
Type: Virus
Platform: W32


On January 24th and 25th, 2004, a number of emails with a fake virus warning from Microsoft were spammed. When users view the email it attempts to download and execute a variant of VBS/Inor trojan dropper from a web site. The real address has been spoofed using a security vulnerability in Internet Explorer.


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

When an user opens the spammed email, an attept to download and execute a VBS/Inor dropper is made. If the dropper is able to execute, then a variant of W32/Dumaru worm is installed into system. Inor drops the worm to "C:\2.exe".

We have received reports that different variants of W32/Dumaru have been dropped from the web site. Further information about W32/Dumaru is available within the following descriptions:

At the time of writing this description, the trojan downloader is removed from the web site.

Below is a screenshot of the message:


Detection in F-Secure Anti-Virus was published on January 26th, 2004 at early morning in update:
Detection Type: PC
Database: 2004-01-26_01

Technical Details: Katrin Tocheva and Sami Rautiainen, January 26th, 2004


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More