Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Dnet.Dropper, W32/MsInit.worm.a [McAfee], Worm.Bymer.a [Kaspersky], TROJ_MSINIT.A [Trend], WORM_BYMER.A [Trend], W32/Bymer-A [Sophos], Win32.Bymer.A [Computer Associates], W32.HLLW.Bymer
Spreads on Intranet / Internet over shared drives
It searches for IP addresses on systems, which have shared C:\ drives or Windows directories and copies itself on them.
TR/Worm.RC5.WinInit is a high-level language worm (HLLW).
There are two current versions of the worm: the first version comes as Wininit.exe file, the second one as Msinit.exe. They both have the same functionality, their routine being slightly different. Wininit.exe comes with Dnetc Client together, while Msinit.exe can only copy it. This is why the size of the worm file can be around 22KB or 220KB. All the received samples were packed with UPX and their size varies a little.
As both versions have similar functionality, the following information applies to both of them:
When the worm is activated for the first time, it modifies one of the following registry entries:
This activates the worm when the computer starts.
Then it immediately tries to spread, searching for IP addresses on shared drives. When it finds a shared drive, it checks for access to Windows directory. If access is achieved, the worm goes to Windows directory and modifies the Load= line in Win.ini file. This is a guarantee that the worm is activated when computer starts.
Then, according to the worm version, the Dnetc Client is copied or inserted.
Description inserted by Crony Walker on Tuesday, June 15, 2004