Peter Savin (pedro@shiporama.org)
Mon, 1 Jan 2001 12:55:39 -0800


This one probably infected you through an open NetBIOS share. If you have
shared out your hard drive(s), you should make sure that the shares are
password protected so you don't get infected again (there are a LOT of these
floating around). Here's info from Symantec (BTW, it's easy to find virus
info at http://www.symantec.com):

W32.HLLW.Bymer is a high level language worm (HLLW). SARC is currently aware
of two different variants of this worm.

The first variation arrives as a file named Wininit.exe. The second
variation is named Msinit.exe.

Both variations have the same functionality, but their payloads vary
slightly. Wininit.exe carries the Dnetc client with it, whereas Msinit.exe
only copies it.

Because one variation carries the Dnet client and the other doesn't, the
size can be either approximately 22 KB or 220 KB. Since all recieved samples
have been packed using different versions of UPX (a runtime compressior for
Windows executable files), the file size may vary slightly.

The functionality of both versions described above is almost the same, so
the information below applies to both variations.

When first executed, the worm modifies the
HKLM\Software\Microsoft\Windows\CurrentVersion\Run or
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Registry key.
This ensures execution upon restart. It then immediately attempts to spread
by checking IP addresses for shared drives. It tries one IP address, sleeps
for two seconds, then tries the next address.

W32.HLLW.Bymer does use some randomization when searching for IP addresses.
If a shared drive is found, the worm checks to see if the Windows folder is
available. If it is, it inserts itself into the Windows\system folder and
modifies the Load= line in Win.ini. This ensures that the worm will execute
when the computer restarts. It also inserts or copies the Dnetc client,
depending on the version.

The Dnetc client is not viral. Additional information can be found at
distributed.net.

Since the first sample was recieved by SARC, the number of submissions of
the worm have been increasing. At the time of writing, there have been more
than 30 submissions.

Removal:

Delete all files detected as W32.HLLW.Bymer. Modify the Load= line in
Win.ini.

Depending on the version of the worm, modify either
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
or
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.

To remove the Distributed.net Dnetc client, see http://www.distributed.net.

Peter Savin

bawoo@shiporama.org

----- Original Message -----
From: "Chungus" <dchunghk@netvigator.com>
To: "Gundam" <gundam@aeug.org>
Sent: Monday, January 01, 2001 9:33 AM
Subject: [gundam] virus? (OT)

> I just want to double check whether anyone on the list have any problem.
> Norton AntiVirus says my wininit.exe is infected with W32.HLLW.Bymer
> virus. Can -Z- give me a lesson on this, or anyone? I hope noone else is
> infected - sorry......
>
>
> --
> "On ne voit bien qu'avec le coeur. L'essential est invisible pour les
> yeux."
> Antoine de Saint-Exupéry
>
>
>
> -
> Gundam Mailing List Archives are available at http://gundam.aeug.org/

-
Gundam Mailing List Archives are available at http://gundam.aeug.org/



This archive was generated by hypermail 2.0b3 on Tue Jan 02 2001 - 05:53:23 JST