Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bymer virus 1

Status
Not open for further replies.
mmherder

mmherder

Technical User
Mar 13, 2001
1
US
I hope that someone can help me with a recurring virus problem. When I am on the internet I am told by Norton Antivirus once every week or so that the W32.HLLW.Bymer virus has been found. I elect to remove it and my Norton log says "C:\WINDOWS\SYSTEM\wininit.exe
was infected with the W32.HLLW.Bymer virus.
The file was deleted"
First question: I understand that the virus is spread by other computers on the internet searching randomly for open IP addresses. My pc has only TCP/IP dail-up protocol loaded with no IP address assigned to the pc. Is the virus coming to me from my on-line connection?

Also, I understand that the virus causes networked pc's to not be able to see other mapped drives. I am not able to see the other networked pc in my home office. It does not show up in network neighborhood but that other pc is able to see the mapped drives on the "Bymer virus pc". I have run the Trend Micro Bymer removal tool and it says that I am not infected. I assume this is because Norton had deleted the WININIT.EXE file from windows/system before it sets up.

Finally, I read that the Bymer virus sits on your pc and searches the internet for open IP's to spread to without your knowing it. I have had problems with my dialup connection for a couple of months since I got my first Bymer message from Norton. My symptom is that I will be browsing web sites and suddenly my connection will temporarily stop. I do not lose the connection but the bytes sent and received just stop. Then 30-60 seconds later they will resume and the page will display normally or everything will eventually slow down to untolerable speeds. The phone company has checked my lines and my ISP has given up trying to figure out why my connection pauses. Could this be the Bymer virus looking for open IP's at that time?

Can anyone put all of this together and tell me what might be going on with these regular Bymer messages from Norton, the lost network drives and the internet dialup pausing. It's driving me crazy.
Thanks
 
Sort by date Sort by votes
The following is from my Sophos library:

This is a worm that propagates through open file shares. It tries IP addresses at random and if it finds a share called "C" it will copy itself to the Windows system folder. It may set the load= line in win.ini or a registry key in HKLM\Microsoft\Windows\CurrentVersion\RunServices to run the worm on system startup. It will also secretly install a distributed.net program dnetc.exe in the Windows system folder, but note that this is legitimate software that may have been installed with permission.

First reported in October 2000.

Recovery:

Perform a secure bootstrap from a clean system disk with the same version of the operating system as the one installed on the hard disk.


It sounds like your either your distributed.net or dnetc.exe files are infected.
James P. Cottingham
 
Upvote 0 Downvote
Here is the information from
Name: W32/Msinit

Characteristics:
W32/Msinit has been seen with the filenames, "MSINIT.EXE" and MS*.EXE [where * represents the first segment of the victim's IP subnet, ie. MS216.EXE]. This worm spreads through open network shares like the VBS/Netlog worm. It scans random IP address over NetBIOS for computers that have shares named "C" and a Windows folder called "Windows". When it finds one, it copies itself and the files "dnetc.exe" and "dnetc.ini" to the "c:\windows\system" folder of the remote computer. The file "dnetc.exe" is an encryption-cracking program from which is not the author of this worm. The samples received by AVERT are packed with the UPX file-compression utility.

Other than that, I haven't heard of this one...
Terry M. Hoey
th3856@txmail.sbc.com
While I don't mind e-mail messages, please post all questions in these forums for the benefit of all members.
 
Upvote 0 Downvote
I am also suffering from the same symptoms described by mmherder. It is most annoying because I have already run a clean boot and have manually deleted all the files associated with the virus and its dissemination. In addition, I have chosen to delete the file every time Norton 2001 finds an infection and I have altered win.ini many, many times. I have also run utilities to kill this thing. Still, no permanent solution.

I also have a dynamic IP address because I am using a dial-up. It seems to me (and I do not consider myself to be a guru on this) that there must be a program residing in the host computer (mine) that resets the virus periodically. What I would like to do is set up something to track changes in my win.ini, so that I will know what program is attempting to modify it (and when). Is there such a utility? If you know of any, please respond to this forum.

Thank you for your help.

Edward R. Valdes
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
280
Oorde
Oorde
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
119
andyv2011
andyv2011
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
179
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
175
goombawaho
goombawaho
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
246
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top