1. /
  2. Security Response/
  3. W32.HLLW.Bymer

W32.HLLW.Bymer - Removal

Risk Level 2: Low

Discovered:
October 9, 2000
Updated:
February 13, 2007 11:50:29 AM
Also Known As:
Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associ
Type:
Worm
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

To remove this worm, these are the steps you will perform (detailed instructions follow):
  • Run LiveUpdate to make sure that you have the most recent definitions.
  • If you are connected to a network, or are using a cable or DSL modem, you must make sure Windows is set up for maximum protection when using shared files or folders.
  • Restart the computer in Safe Mode.
  • Scan all files and delete any that are found to be infected.
  • Delete the files the worm put on the hard drive.
  • Remove the worm's entry from the Win.ini file.
  • Remove the worm's entries from the Windows registry.
  • Run another full system scan.

NOTE: For additional information on distributed.net, the legitimate program that has been illegally altered to distribute this Trojan, see the document What is distributed.net?

Run LiveUpdate
We strongly recommend that you run LiveUpdate to make sure that you have the most recent virus definitions before proceeding.

Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection.

NOTE: If you are using a cable or DSL modem, you are using, for all purposes, a networked computer.

Restart the computer in Safe Mode
Read the document for your operating system. Scan all files and delete any that are found to be infected
  1. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  2. Run a full system scan.
  3. Delete all files that are detected as W32.HLLW.Bymer or Dnet.Dropper.

To delete the files placed on the hard drive by the worm or Trojan
Follow these steps to delete the files:

NOTE: You will be searching for several different files. Not all will be found on every infected computer.
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
  3. In the Named box, type (or copy and paste) the following file name:

    wininit.exe
  4. Click Find Now. Windows finds all copies of the file that are located on drive C.

    CAUTION: You are about to delete a copy of the Wininit.exe file. Make sure that you have selected the copy that is located in the \Windows\System folder. Do not delete the Wininit.exe file that is located in the \Windows folder.
  5. Right-click the copy of the Wininit.exe file that is located in the \Windows\System folder, and click Delete. Click Yes to confirm to the deletion.
  6. Click New Search, and then click OK to confirm.
  7. In the Named box, type (or copy and paste) the following file names:

    ms??.exe ms???.exe ms????.exe dnetc.exe dnetc.ini dnetc.vbs msclient.exe info.dll flcss.exe
  8. Click Find Now. Windows finds all copies of the files that are located on drive C. Not all files will be on all computers.

    CAUTION: You are about to delete files. Make sure that your read the following information before you do so:
    • The search for ms???.exe or ms????.exe may find several or even many files. The file that you will delete will have the letters "MS" or "MSI" followed by two or three numbers, for example, MS216.exe or MSI216.exe. This is the only file (or files) beginning with MS (other than msclient.exe) that you should delete.
    • Dnetc.exe (and its .ini file) is a legitimate distribution program that has been used to distribute the worm or Trojan. If you find other evidence of infection, we strongly recommend that you delete it.
    • Dnetc.vbs, if found, should be deleted.
    • Several legitimate programs use an Info.dll file, including ACT!
    • All of the files dropped by W32.HLLW.Bymer are in either the \Startup folder or the \System folder. If a file is found in a different location--particularly if it is in a subfolder of C:\Program Files--then it is most likely legitimate, and it should not be deleted.
    • If you are not sure about any particular file, rename the file instead of deleting it. Make sure that you write down the original name of the renamed file and its location.
  9. In the lower pane of the Find dialog box, select the files that you want to remove. It is recommend that you do this one at a time.
  10. Press Delete, and then click Yes to confirm. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.

Remove the worm's entry from the Win.ini file
In some cases, the worm can make an entry in the Win.ini file. Follow the instructions for your operation system:
  • Windows 95/98/NT/2000/XP
    1. Click Start, and click Run.
    2. Type sysedit and then click OK. The System Configuration Editor opens.
    3. Click the title bar of the Win.ini window.
    4. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\msi216.exe

      If it exists, this file name will vary, but it will begin with "ms".
    5. Select the entire line, making sure that you have not selected any other text, and then press Delete.
    6. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\wininit.exe
    7. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    8. In the [windows] section of the file, look for an entry similar to the following:

      run=c:\windows\system\wininit.exe
    9. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    10. Exit the System Configuration Editor. Click Yes when prompted to save changes.
  • Windows Me

    NOTE: (For Windows Me users only) Due to the file protection process in Windows Me, there is a backup copy of the file you are about to edit in the C:\Windows\Recent folder. We recommend that you delete this file before you continue with the steps in this section. To do so using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
    1. Click Start, and click Run.
    2. Type the following and then click OK.

      edit c:\windows\win.ini

      The MS-DOS Editor opens.

      NOTE: If you have installed Windows to a different location, make the appropritate substitution.
    3. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\msi216.exe

      If it exists, this file name will vary, but it will begin with "ms".
    4. Select the entire line, making sure that you have not selected any other text, and then press Delete.
    5. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\wininit.exe
    6. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    7. In the [windows] section of the file, look for an entry similar to the following:

      run=c:\windows\system\wininit.exe
    8. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.


Remove the worm's entries from the Windows registry
Follow these steps to modify the registry key:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Exit all open programs.
  2. Click Start, and click Run. The Run dialog box appears.
  3. Type regedit and then click OK. The Registry Editor opens.
  4. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  5. Delete the following value from the right pane:

    bymer.scanner

    Also look for and delete any of the following values if they are found:

    distributed.net.client "C:\Windows\System\dnetc.exe"
    internat "C:\Windows\internat.exe" -hide"
    msinit "C:\Windows\System\ms***.exe"

    NOTES:
    • These may vary slightly. For example, the distributed.net.client entry may refer to "C:\Windows\System\dnetc.vbs."
    • If you used the System Configuration Utility to prevent programs from loading at startup, repeat this step for the following key:

      HKEY_LOCAL_MACHINE\Software\
      Microsoft\Windows\CurrentVersion\Run-

  6. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Runservices

  7. Delete the following values from the right pane:

    distributed.net.client "C:\Windows\System\dnetc.exe"
    internat "C:\Windows\internat.exe" -hide"
    msinit "C:\Windows\System\ms***.exe"

    NOTES:
    • These may vary slightly. For example, the distributed.net.client entry may refer to "C:\Windows\System\dnetc.vbs."
    • If you used the System Configuration Utility to prevent programs from loading at startup, repeat this step for the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Runservices-

  8. Exit the Registry Editor.

Run another full system scan
While still in Safe Mode, start NAV and run a second full system scan. When the scan has finished, restart the computer.


Writeup By: Neal Hindocha

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver