Worm.Bymer.b
Description Worm.Bymer.b
This program is a PE EXE worm (Win32 application). It infects Win9x machines with open file shares. This worm propagates by randomly selecting an arbitrary IP address and attempting to connect to the "C" file share on that machine. If it is successful in accessing that share, it will copy several files into the remote machine's "WINDOWSStart MenuProgramsStartUp" and "WINDOWSSYSTEM" directories:
MSxxx.EXE ~22016 bytes (size and filename varies slightly)
MSCLIENT.EXE 4096 bytes
INFO.DLL (text file log of other infected computers)
DNETC.EXE 186188 bytes (RC5 client)
DNETC.INI (containing the email address bymer@inec.kiev.ua)
Additionally, as a part of the infection, the following line may be added to the remote computer's WINDOWSWIN.INI file:
[windows]
load=c:windowssystemmsxxx.exe
Once either of the first two EXEs have executed once, under the registry key, the following registry value may be added:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices]
MSINIT=c:windowssystemmsxxx.exe (filename varies)
The filename MSxxx.EXE varies.
Since the worm also executes "dnetc.exe -hide -install", there will also be the addition of another registry value to automatically start the client as well.
Check other viruses! Be aware! Use Antiviral Software
MQ.278
Description MQ.278
It is not a dangerous memory resident parasitic virus. It copies itself into Interrupt Vectors Table, hooks INT 21h and writes itself to the beginning of .COM files that are created. After 13th infection the virus terminates the execution of the files and displays:
Fuck off
The virus also contains the ID-strings:
MQ
MW2
MR.962
Description MR.962
It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed or opened. The virus has the bugs and can halt the system. On 17th of any month it deletes the files. The virus contains the text strings:
(c) MR7666
T910D
|