McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bymer (Norman)

• Bymer.C (Panda)

• I-Worm.Msinit.A (Softwin)

• I-Worm.Msinit.B (Softwin)

• I-Worm/RC5.A (AVG)

• I-Worm/RC5.B (AVG)

• I-Worm/RC5.C (AVG)

• TR.Worm.RC5.WinInit (AntiVir)

• TROJ_BYMER (Trend)

• TROJ_MSINIT.A (Trend)

• TROJ_RC5.B (Trend)

• Trojan.Win32.Bymer

• Trojan/WIn32.Msini.A (RAV)

• W32.Bymer.A (Ikarus)

• W32.Bymer.B (Ikarus)

• W32.Bymer.C (Ikarus)

• W32.HLLW.Bymer (NAV)

• W32/Bymer-A (Sophos)

• W32/Bymer-B (Sophos)

• W32/Bymer-C (Sophos)

• W32/Bymer.B (Norman)

• W32/MsInit.A (AntiVir)

• W32/MSInit.A (Panda)

• W32/MSInit.B (Panda)

• W32/MSInit.D (Panda)

• W32/MsInit.ini

• W32/MsInit.worm.a

• Win32.Bymer.A (CA/VET)

• Win32.Bymer.B (CA/VET)

• Win32.Bymer.C (CA/VET)

• Win32.HLLW.RC5 (DrWeb)

• Win32.MSInit.A@mm (Softwin)

• Win32.RC5.4096 (DrWeb)

• Win32/Bymer.Worm (CA/InoculateIt)

• Win32/Bymera.C.unp (RAV)

• Win32/Bymera.D@mm (RAV)

• Win32/MSInit.A (RAV)

• Win32/MSInit.A worm (ESET)

• Win32/MSInit.B worm (ESET)

• Win32/MsInit.C (ESET)

• Win32/MsInit.C worm (ESET)

• Win32/Rc5.B.Worm (CA/InoculateIT)

• Win32/Rc5.C.Worm (CA/InoculateIT)

• Win32:MSInit-A1 [Wrm] (Alwil)

• Win32:MSInit-A2 [Wrm] (Alwil)

• Win32:MSInit-B [Wrm] (Alwil)

• Worm-RC5 (Sophos)

• Worm.Bymer.a (KAV/AVP)

• Worm.Bymer.b (KAV/AVP)

• Worm.Bymer.c (KAV/AVP)

• Worm.Dnet.A (VirusBuster)

• Worm.Dnet.B (VirusBuster)

• Worm.Dnet.C (VirusBuster)

Characteristics

W32/Msinit has been seen with the filenames, "MSINIT.EXE" and MS*.EXE [where * represents the first segment of the victim's IP subnet, ie. MS216.EXE]. This worm spreads through open network shares like the VBS/Netlog worm. It scans random IP address over NetBIOS for computers that have shares named "C" and a Windows folder called "Windows". When it finds one, it copies itself and the files "dnetc.exe" and "dnetc.ini" to the "c:\windows\system" folder of the remote computer. The file "dnetc.exe" is an encryption-cracking program from www.distributed.net, which is not the author of this worm. The samples received by AVERT are packed with the UPX file-compression utility.

Symptoms

Files mentioned above. People claiming that you are scanning their NetBIOS ports.

Method of Infection

When it finds a computer with an open share, it copies itself directly to the unprotected computer, and modifies the win.ini load= line to run the worm on the next bootup. The next bootup, it creates the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msinit so the worm and encryption-cracking program runs without any user intervention. The worm them runs the command "dnetc -hide -install" which causes the distributed.net client to install itself in the background.

Removal

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/MsInit.worm.b

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Bymer (Norman)

• Bymer.C (Panda)

• I-Worm.Msinit.A (Softwin)

• I-Worm.Msinit.B (Softwin)

• I-Worm/RC5.A (AVG)

• I-Worm/RC5.B (AVG)

• I-Worm/RC5.C (AVG)

• TR.Worm.RC5.WinInit (AntiVir)

• TROJ_BYMER (Trend)

• TROJ_MSINIT.A (Trend)

• TROJ_RC5.B (Trend)

• Trojan.Win32.Bymer

• Trojan/WIn32.Msini.A (RAV)

• W32.Bymer.A (Ikarus)

• W32.Bymer.B (Ikarus)

• W32.Bymer.C (Ikarus)

• W32.HLLW.Bymer (NAV)

• W32/Bymer-A (Sophos)

• W32/Bymer-B (Sophos)

• W32/Bymer-C (Sophos)

• W32/Bymer.B (Norman)

• W32/MsInit.A (AntiVir)

• W32/MSInit.A (Panda)

• W32/MSInit.B (Panda)

• W32/MSInit.D (Panda)

• W32/MsInit.ini

• W32/MsInit.worm.a

• Win32.Bymer.A (CA/VET)

• Win32.Bymer.B (CA/VET)

• Win32.Bymer.C (CA/VET)

• Win32.HLLW.RC5 (DrWeb)

• Win32.MSInit.A@mm (Softwin)

• Win32.RC5.4096 (DrWeb)

• Win32/Bymer.Worm (CA/InoculateIt)

• Win32/Bymera.C.unp (RAV)

• Win32/Bymera.D@mm (RAV)

• Win32/MSInit.A (RAV)

• Win32/MSInit.A worm (ESET)

• Win32/MSInit.B worm (ESET)

• Win32/MsInit.C (ESET)

• Win32/MsInit.C worm (ESET)

• Win32/Rc5.B.Worm (CA/InoculateIT)

• Win32/Rc5.C.Worm (CA/InoculateIT)

• Win32:MSInit-A1 [Wrm] (Alwil)

• Win32:MSInit-A2 [Wrm] (Alwil)

• Win32:MSInit-B [Wrm] (Alwil)

• Worm-RC5 (Sophos)

• Worm.Bymer.a (KAV/AVP)

• Worm.Bymer.b (KAV/AVP)

• Worm.Bymer.c (KAV/AVP)

• Worm.Dnet.A (VirusBuster)

• Worm.Dnet.B (VirusBuster)

• Worm.Dnet.C (VirusBuster)

Characteristics

Characteristics -

W32/Msinit has been seen with the filenames, "MSINIT.EXE" and MS*.EXE [where * represents the first segment of the victim's IP subnet, ie. MS216.EXE]. This worm spreads through open network shares like the VBS/Netlog worm. It scans random IP address over NetBIOS for computers that have shares named "C" and a Windows folder called "Windows". When it finds one, it copies itself and the files "dnetc.exe" and "dnetc.ini" to the "c:\windows\system" folder of the remote computer. The file "dnetc.exe" is an encryption-cracking program from www.distributed.net, which is not the author of this worm. The samples received by AVERT are packed with the UPX file-compression utility.

Symptoms

Symptoms -

Files mentioned above. People claiming that you are scanning their NetBIOS ports.

Method of Infection

Method of Infection -

When it finds a computer with an open share, it copies itself directly to the unprotected computer, and modifies the win.ini load= line to run the worm on the next bootup. The next bootup, it creates the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msinit so the worm and encryption-cracking program runs without any user intervention. The worm them runs the command "dnetc -hide -install" which causes the distributed.net client to install itself in the background.

Removal -

Removal -

Use specified engine and DAT files for detection and removal. Delete files found to contain this detection.

As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/MsInit.worm.b