Name:
BymerAlso known as:
Dnet, I-Worm.Msinit, I-Worm/RC5.A, MsInit, RC5, TR.Worm.RC5.WinInit, TROJ_BYMER, TROJ_MSINIT.A, TROJ_RC5.B, Trojan.Win32.Bymer, Trojan/Win32.Msini.A, W32.Bymer, W32.HLLW.Bymer, W32/Bymer, W32/MsInit, W32/MsInit.ini, W32/MsInit.worm, Win32.Bymer, Win32.HLLW.RC5, Win32.MSInit, Win32.RC5.4096, Win32/Bymer.Worm, Win32/Bymera.C.unp, Win32/Bymera.D@mm, Worm.Bymer, Worm.Bymer, Worm.Dnet, Worm.RC5, Worm_Bymer_aType:
PE EXE wormAffects:
Win9x machines with open file sharesDiscovered:
October 9, 2000Description:
The Bymer worm is a PE executable (Win32 application) that infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory:WININIT.EXE - worm's body 22016 bytes long
DNETC.EXE - Distributed Net RC5 client 186188 bytes long
DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file:
[windows]
load=C:\WINDOWS\SYSTEM\WININIT.EXEThis will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers.
Several known variants of the Bymer worm are known to exist.
Vendor Descriptions:
