WCM Forum - Einzelnen Beitrag anzeigen

holzi · 03.07.2002, 11:36

Ich hab´ bei datafellows folgendes dazu gefunden:

F-Secure Virus Descriptions

NAME: Bymer
ALIAS: Worm_Bymer_a, Worm.Bymer, Worm.RC5

During autumn 2000 there appeared 2 worms that drop RC5 clients on computers they infect. Below you can find descriptions of both of these worms.

VARIANT: Bymer.A

This worm is a PE executable (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory:

WININIT.EXE - worm's body 22016 bytes long
DNETC.EXE - Distributed Net RC5 client 186188 bytes long
DNETC.INI - INI-file with settings for RC5 client

Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file:

[windows]
load=C:\WINDOWS\SYSTEM\WININIT.EXE

This will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers.

VARIANT: Bymer.B

This worm is a PE executable too (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote machine's \Windows\Start Menu\Programs\StartUp\ and \Windows\System\ directories:

MSxxx.EXE - worm component 22016 bytes long (size and filename varies slightly)
MSCLIENT.EXE - worm component 4096 bytes long
INFO.DLL - text file log of other infected computers
DNETC.EXE - Distributed Net RC5 client 186188 bytes
DNETC.INI - INI-file with settings for RC5 client

Additionally, the following line may be added to the remote computer's \WINDOWS\WIN.INI file:

[windows]
load=c:\windows\system\msxxx.exe

This will enable autostarting of the worm during all Windows sessions. When any of two worm components is executed, the following data is entered into the registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services]
MSINIT=c:\windows\system\msxxx.exe

The filename MSxxx.EXE may vary.

When the worm executes the RC5 client in hidden mode, it also modifies Registry to start the client every time Windows starts.

Bymer worm variants can be successfully disinfected with a fresh version of FSAV and the latest updates for it.

03.07.2002, 11:36	#5
holzi Inventarisierter Pyromane Registriert seit: 18.02.2000 Ort: Smørebrød, Smørebrød, Smørebrød røm, pøm, pøm, pøm, pøm Beiträge: 5.581 Mein Computer	Ich hab´ bei datafellows folgendes dazu gefunden: F-Secure Virus Descriptions NAME: Bymer ALIAS: Worm_Bymer_a, Worm.Bymer, Worm.RC5 During autumn 2000 there appeared 2 worms that drop RC5 clients on computers they infect. Below you can find descriptions of both of these worms. VARIANT: Bymer.A This worm is a PE executable (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory: WININIT.EXE - worm's body 22016 bytes long DNETC.EXE - Distributed Net RC5 client 186188 bytes long DNETC.INI - INI-file with settings for RC5 client Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file: [windows] load=C:\WINDOWS\SYSTEM\WININIT.EXE This will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers. VARIANT: Bymer.B This worm is a PE executable too (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote machine's \Windows\Start Menu\Programs\StartUp\ and \Windows\System\ directories: MSxxx.EXE - worm component 22016 bytes long (size and filename varies slightly) MSCLIENT.EXE - worm component 4096 bytes long INFO.DLL - text file log of other infected computers DNETC.EXE - Distributed Net RC5 client 186188 bytes DNETC.INI - INI-file with settings for RC5 client Additionally, the following line may be added to the remote computer's \WINDOWS\WIN.INI file: [windows] load=c:\windows\system\msxxx.exe This will enable autostarting of the worm during all Windows sessions. When any of two worm components is executed, the following data is entered into the registry: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services] MSINIT=c:\windows\system\msxxx.exe The filename MSxxx.EXE may vary. When the worm executes the RC5 client in hidden mode, it also modifies Registry to start the client every time Windows starts. Bymer worm variants can be successfully disinfected with a fresh version of FSAV and the latest updates for it.