| Description:
|
Details
Worm.Bymer.a
This program is a PE EXE worm (Win32 application). It infects Win9x machines with open file shares. This worm propagates by randomly selecting an arbitrary IP address and attempting to connect to the "C" file share on that machine. If it is successful in accessing that share, it will copy several files into the remote machine's "WINDOWSSYSTEM" directories:
WININIT.EXE ~22016 bytes (body of worm)
DNETC.EXE 186188 bytes (RC5 client)
DNETC.INI (INI-file of DNETC.EXE)
Additionally, as a part of the infection, the following line may be added to the remote computer's WINDOWSWIN.INI file:
[windows]
load=C:WINDOWSSYSTEMWININIT.EXE
After rebooting a victim computer, WININIT.EXE executes DNETC.EXE in a hidden mode and continues infecting another computer. |
