Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Bymer.A.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 30 Oct 2000 03:00:00
Description created 09 Nov 2000 03:00:00
Description updated 09 Nov 2000 03:00:00
Malware type WORM
Alias Dnet.Dropper
W32/Msinit
W32.HLLW.Bymer
Spreading mechanism NETWORK
Summary None

W32/Bymer.A.Worm

Spreading

W32/Bymer.A will randomly select an IP address and try to connect to it. Only Win9x machines with file sharing enabled will be infected. W32/Bymer.A arrives in a file named wininit.exe.

If the worm finds a victim to infect, four files are dropped to Windows system folder (default c:windowssystem):



Dnetc.exe (RC5 client) Dnetc.ini (RC5 configuration file) Wininit.exe (the worm itself) Wininit.log (logfile used by the worm)

Then it creates one of these Registry keys to load itself each time Windows is started:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\Bymer.scanner

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\Bymer.scanner

It may also add itself to c:windowswin.ini in the Windows section as:



Load = C:\WINDOWS\SYSTEM\Wininit.exe

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12