Bymer spreads through open network shares - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Bymer spreads through open network shares

By Robert Vamosi, 0
December 11, 2000
URL: http://www.zdnet.com.au/news/security/soa/Bymer-spreads-through-open-network-shares/0,130061744,120107492,00.htm

This worm will scan for open NetBIOS ports across local networks or over the Internet, looking for Windows/Systems folders to infect.

Bymer (alias Msinit and Wininit) is a sophisticated Internet worm that infects computers without its users even knowing it.

Bymer does not arrive as an e-mail with an infected attachment; rather, this new worm randomly selects IP addresses to search for computers on a network or over the Internet with open share capabilities of NetBIOS.

Bymer is one of a handful of new Trojan horses that also installs Distributed.net client software, which is a legitimate encryption and decryption software product, and is not responsible for the Bymer worm. This worm was discovered in the early 2000, but several U.S. anti-virus companies have reported a recent increase in infections within the last few weeks.

How it works
Bymer does not arrive as an e-mail. This worm randomly chooses IP addresses to search for Windows-based computers with an open share C: drive. It will then install several files to the Windows/System folder. Upon restarting the computer, infected users may notice a slowing of system resources as their computer begins searching for more IP addresses to infect. There are reports of this worm disabling the infected computer's ability to "see" other computers on a local network.

Removal
Bymer is a stubborn worm. For example, if only the Registry entry for the Trojan is been removed, the Trojan will recreate the entry the next time the computer is booted.