W32/Bymer.A.Worm

Download VIRUSfighter NOW
W32/Bymer.A.Worm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 11/10/2000 • Type: Worm
• Virus characteristics first published: 11/10/2000 • Spreading mechanism: Network
• Virus characteristics latest update: 3/17/2004 • Overall risk: Low
• Alias: Dnet.Dropper, W32/Msinit, W32.HLLW.Bymer • Payload:
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
W32/Bymer.A will randomly select an IP address and try to connect to it. Only Win9x machines with file sharing enabled will be infected. W32/Bymer.A arrives in a file named wininit.exe.

If the worm finds a victim to infect, four files are dropped to Windows system folder (default c:\windows\system):

  • Dnetc.exe (RC5 client)
  • Dnetc.ini (RC5 configuration file)
  • Wininit.exe (the worm itself)
  • Wininit.log (logfile used by the worm)


Then it creates one of these Registry keys to load itself each time Windows is started:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\Run\Bymer.scanner

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\RunServices\Bymer.scanner


It may also add itself to c:\windows\win.ini in the Windows section as:

Load = C:\WINDOWS\SYSTEM\Wininit.exe
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter