W32.HLLW.Bymer is a worm written in a high level language.

 

The worm spreads via shared network drives. It looks for shared folders on the network, and copies itself if it is able to

insert itself in the Windows\system folder.

 

The payload includes copying the Dnetc client and modifying the Win.ini file. The Dnet client is not viral and will not be

detected by Norton AntiVirus.

 

The worm was previously detected as Dnet.Dropper.

 

Also known as: Dnet.Dropper, W32/Msinit

 

Number of infections: 50-999

Number of sites: 3-9

Geographical distribution: Low

Threat containment: Moderate

Removal: Easy

Damage

 

Payload: Copies and installs the Distributed.net client.

Modifies files: The worm modifies Win.ini

Distribution

 

Shared drives: The worm attempts to copy itself to the Windows\system folder on shared drives

Technical description:

 

W32.HLLW.Bymer is a high level language worm (HLLW). SARC is currently aware of two different variants of this worm.

 

The first variation arrives as a file named Wininit.exe. The second variation is named Msinit.exe.

 

Both variations have the same functionality, but their payloads vary slightly. Wininit.exe carries the Dnetc client with it,

whereas Msinit.exe only copies it.

 

Because one variation carries the Dnet client and the other doesn't, the size can be either approximately 22 KB or 220 KB.

Because all recieved samples have been packed using different versions of UPX (a runtime compressior for Windows executable

files), the file size may vary slightly.

 

Since the functionality of both versions described above is almost the same, the information below applies to both variations.

 

When first executed, the worm modifies the HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\

CurrentVersion\RunServices Registry key. This ensures execution upon restart. It then immediately attempts to spread by checking IP

addresses for shared drives. It tries one IP address, sleeps for two seconds, then tries the next address.

 

It does use some randomization when searching for IP addresses. If a shared drive is found, the worm checks to see if the Windows

folder is available. If it is, it inserts itself into the Windows\system folder and modifies the Load= line in Win.ini. This ensures

that the worm will execute when the computer restarts. It also inserts or copies the Dnetc client, depending on the version.

 

The Dnetc client is not viral. Additional information can be found at distributed.net.

 

Since the first sample was recieved, the number of submissions of the worm have been increasing. At the time of writing, there have

been more than 30 submissions.