Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associates], W32.HLLW.Bymer
Damage:Spreads on Intranet / Internet over shared drives 
VDF Version:6.xx.xx.xx 

DistributionIt searches for IP addresses on systems, which have shared C:\ drives or Windows directories and copies itself on them.

Technical DetailsTR/Worm.RC5.WinInit is a high-level language worm (HLLW).
There are two current versions of the worm: the first version comes as Wininit.exe file, the second one as Msinit.exe. They both have the same functionality, their routine being slightly different. Wininit.exe comes with Dnetc Client together, while Msinit.exe can only copy it. This is why the size of the worm file can be around 22KB or 220KB. All the received samples were packed with UPX and their size varies a little.
As both versions have similar functionality, the following information applies to both of them:
When the worm is activated for the first time, it modifies one of the following registry entries:


This activates the worm when the computer starts.
Then it immediately tries to spread, searching for IP addresses on shared drives. When it finds a shared drive, it checks for access to Windows directory. If access is achieved, the worm goes to Windows directory and modifies the Load= line in Win.ini file. This is a guarantee that the worm is activated when computer starts.
Then, according to the worm version, the Dnetc Client is copied or inserted.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .