W32.HLLW.Bymer

Printer Friendly Page

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:29 AM
Also Known As: Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associ
Type: Worm
Systems Affected: Windows


Due to a decreased rate of submissions, Symantec Security Response has downgraded the threat level of this worm from Category 3 to Category 2.

W32.HLLW.Bymer is a worm written in a high-level language. The worm spreads over shared network drives. It searches for shared folders on the network and then copies itself to the \Windows\System folder.

The payload copies the Dnetc client and modifies the Win.ini file. The Dnetc client is not viral and is not detected by Norton AntiVirus.

The worm was previously detected as Dnet.Dropper.

Symantec has created an interactive tutorial to help you remove this worm.




Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection .

Antivirus Protection Dates

  • Initial Rapid Release version October 10, 2000
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version October 10, 2000
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date October 10, 2000

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Neal Hindocha

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:29 AM
Also Known As: Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associ
Type: Worm
Systems Affected: Windows


W32.HLLW.Bymer is a high-level language worm (HLLW). The Symantec AntiVirus Research Center (SARC) is currently aware of two different variants of this worm.

The first variation arrives as a file named Wininit.exe. The second variation is named Msinit.exe. Both variations have the same functionality, but their payloads vary slightly. Wininit.exe carries the Dnetc client with it, whereas Msinit.exe only copies it.

Because one variation carries the Dnetc client and the other does not, the size can be either approximately 22 KB or 220 KB. Because all received samples have been packed using different versions of UPX (a runtime compressor for Windows executable files), the file size may vary slightly.

Since the functionality of both versions is almost the same, the following information applies to both variations:

When first executed, the worm modifies one of the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices

This ensures execution upon restart. It then immediately attempts to spread by checking IP addresses for shared drives. It tries one IP address, sleeps for two seconds, and then tries the next address.

It uses some randomization when searching for IP addresses. If a shared drive is found, the worm checks to see whether the Windows folder is available. If so, it inserts itself into the \Windows\System folder and modifies the Load= line in the Win.ini file. This ensures that the worm will execute when the computer restarts. It also inserts or copies the Dnetc client, depending on the version.

The Dnetc client is not viral. Additional information can be found at distributed.net.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Neal Hindocha

Discovered: October 09, 2000
Updated: February 13, 2007 11:50:29 AM
Also Known As: Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associ
Type: Worm
Systems Affected: Windows


To remove this worm, these are the steps you will perform (detailed instructions follow):

  • Run LiveUpdate to make sure that you have the most recent definitions.
  • If you are connected to a network, or are using a cable or DSL modem, you must make sure Windows is set up for maximum protection when using shared files or folders.
  • Restart the computer in Safe Mode.
  • Scan all files and delete any that are found to be infected.
  • Delete the files the worm put on the hard drive.
  • Remove the worm's entry from the Win.ini file.
  • Remove the worm's entries from the Windows registry.
  • Run another full system scan.

NOTE: For additional information on distributed.net, the legitimate program that has been illegally altered to distribute this Trojan, see the document What is distributed.net?

Run LiveUpdate
We strongly recommend that you run LiveUpdate to make sure that you have the most recent virus definitions before proceeding.

Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked computers, to ensure that the virus does not reinfect the computer after it has been removed, Symantec suggests sharing with read-only access or using password protection. For instructions on how to do this, see your Windows documentation or the document How to configure shared Windows folders for maximum network protection .

NOTE: If you are using a cable or DSL modem, you are using, for all purposes, a networked computer.

Restart the computer in Safe Mode
Read the document for your operating system. Scan all files and delete any that are found to be infected
  1. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
  2. Run a full system scan.
  3. Delete all files that are detected as W32.HLLW.Bymer or Dnet.Dropper.

To delete the files placed on the hard drive by the worm or Trojan
Follow these steps to delete the files:

NOTE: You will be searching for several different files. Not all will be found on every infected computer.
  1. Click Start, point to Find, and click Files or Folders.
  2. Make sure that Look in is set to (C:) and that Include subfolders is checked.
  3. In the Named box, type (or copy and paste) the following file name:

    wininit.exe
  4. Click Find Now. Windows finds all copies of the file that are located on drive C.

    CAUTION: You are about to delete a copy of the Wininit.exe file. Make sure that you have selected the copy that is located in the \Windows\System folder. Do not delete the Wininit.exe file that is located in the \Windows folder.
  5. Right-click the copy of the Wininit.exe file that is located in the \Windows\System folder, and click Delete. Click Yes to confirm to the deletion.
  6. Click New Search, and then click OK to confirm.
  7. In the Named box, type (or copy and paste) the following file names:

    ms??.exe ms???.exe ms????.exe dnetc.exe dnetc.ini dnetc.vbs msclient.exe info.dll flcss.exe
  8. Click Find Now. Windows finds all copies of the files that are located on drive C. Not all files will be on all computers.

    CAUTION: You are about to delete files. Make sure that your read the following information before you do so:
    • The search for ms???.exe or ms????.exe may find several or even many files. The file that you will delete will have the letters "MS" or "MSI" followed by two or three numbers, for example, MS216.exe or MSI216.exe. This is the only file (or files) beginning with MS (other than msclient.exe) that you should delete.
    • Dnetc.exe (and its .ini file) is a legitimate distribution program that has been used to distribute the worm or Trojan. If you find other evidence of infection, we strongly recommend that you delete it.
    • Dnetc.vbs, if found, should be deleted.
    • Several legitimate programs use an Info.dll file, including ACT!
    • All of the files dropped by W32.HLLW.Bymer are in either the \Startup folder or the \System folder. If a file is found in a different location--particularly if it is in a subfolder of C:\Program Files--then it is most likely legitimate, and it should not be deleted.
    • If you are not sure about any particular file, rename the file instead of deleting it. Make sure that you write down the original name of the renamed file and its location.
  9. In the lower pane of the Find dialog box, select the files that you want to remove. It is recommend that you do this one at a time.
  10. Press Delete, and then click Yes to confirm. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.

Remove the worm's entry from the Win.ini file
In some cases, the worm can make an entry in the Win.ini file. Follow the instructions for your operation system:
  • Windows 95/98/NT/2000/XP
    1. Click Start, and click Run.
    2. Type sysedit and then click OK. The System Configuration Editor opens.
    3. Click the title bar of the Win.ini window.
    4. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\msi216.exe

      If it exists, this file name will vary, but it will begin with "ms".
    5. Select the entire line, making sure that you have not selected any other text, and then press Delete.
    6. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\wininit.exe
    7. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    8. In the [windows] section of the file, look for an entry similar to the following:

      run=c:\windows\system\wininit.exe
    9. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    10. Exit the System Configuration Editor. Click Yes when prompted to save changes.
  • Windows Me

    NOTE: (For Windows Me users only) Due to the file protection process in Windows Me, there is a backup copy of the file you are about to edit in the C:\Windows\Recent folder. We recommend that you delete this file before you continue with the steps in this section. To do so using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
    1. Click Start, and click Run.
    2. Type the following and then click OK.

      edit c:\windows\win.ini

      The MS-DOS Editor opens.

      NOTE: If you have installed Windows to a different location, make the appropritate substitution.
    3. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\msi216.exe

      If it exists, this file name will vary, but it will begin with "ms".
    4. Select the entire line, making sure that you have not selected any other text, and then press Delete.
    5. In the [windows] section of the file, look for an entry similar to the following:

      load=c:\windows\system\wininit.exe
    6. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.
    7. In the [windows] section of the file, look for an entry similar to the following:

      run=c:\windows\system\wininit.exe
    8. If it exists, select the entire line, making sure that you have not selected any other text, and then press Delete.


Remove the worm's entries from the Windows registry
Follow these steps to modify the registry key:

CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.
  1. Exit all open programs.
  2. Click Start, and click Run. The Run dialog box appears.
  3. Type regedit and then click OK. The Registry Editor opens.
  4. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  5. Delete the following value from the right pane:

    bymer.scanner

    Also look for and delete any of the following values if they are found:

    distributed.net.client "C:\Windows\System\dnetc.exe"
    internat "C:\Windows\internat.exe" -hide"
    msinit "C:\Windows\System\ms***.exe"

    NOTES:
    • These may vary slightly. For example, the distributed.net.client entry may refer to "C:\Windows\System\dnetc.vbs."
    • If you used the System Configuration Utility to prevent programs from loading at startup, repeat this step for the following key:

      HKEY_LOCAL_MACHINE\Software\
      Microsoft\Windows\CurrentVersion\Run-
  6. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Runservices
  7. Delete the following values from the right pane:

    distributed.net.client "C:\Windows\System\dnetc.exe"
    internat "C:\Windows\internat.exe" -hide"
    msinit "C:\Windows\System\ms***.exe"

    NOTES:
    • These may vary slightly. For example, the distributed.net.client entry may refer to "C:\Windows\System\dnetc.vbs."
    • If you used the System Configuration Utility to prevent programs from loading at startup, repeat this step for the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Runservices-
  8. Exit the Registry Editor.

Run another full system scan
While still in Safe Mode, start NAV and run a second full system scan. When the scan has finished, restart the computer.


Writeup By: Neal Hindocha