Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/MSInit.A

Aliases: W32.Bymer.A, W32.HLLW.Bymer

Win32/MSInit.A is a worm written in a higher program language.  Its size is 22016 bytes, but to decrease the length of its code the worm is compressed by means of the utility UPX.  After unpacking, its size grows to 73728 bytes.  The worm operates in the Windows operating system environment and is able to spread by means of a computer network.
When the worm is executed it tries to get copied to disk C: of a randomly chosen computer.  If it succeeds the files dnetc.exe, dnetc.ini and wininit.exe will appear in the directory Windows/System.  The first two files belong to the client RC5; the last one is a copy of the worm.  The worm modifies the file win.ini on the remote computer to ensure activation of the worm after a system restart.
On the computer where it was executed the worm modifies the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and creates the item "bymer.scanner" in it.  By doing so it ensures its activation during each system start.
As the result of the worm attack the client for RC5 is executed in hidden mode.  This client is a legitimate application of the distributed network which serves for breaking ciphers by a “brute force” attack.  The client activity may decrease the computer performance.
The worm was given one of its names by the text in the file dnetc.ini:

[parameters]
id=bymer@ukrpost.net

[misc]
project-priority=OGR,RC5,CSC,DES

[rc5]
fetch-workunit-threshold=64

[ogr]
fetch-workunit-threshold=16

[triggers]
restart-on-config-file-change=yes

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.