Summary
During autumn 2000 there appeared 2 worms that drop RC5 clients on computers they infect. Below you can find descriptions of both of these worms.
Removal
Bymer worm variants can be successfully disinfected with a fresh version of FSAV and the latest updates for it. https://www.europe.f-secure.com/download-purchase/ https://www.europe.f-secure.com/download-purchase/updates.shtml Note that worm's file(s) might be locked while Windows is active and older versions of FSAV for Windows might not be able to remove it. In this case you can exit to DOS and remove the worm's file(s) manually.
You can also use a free version of F-Prot for DOS to remove Bymer worm from an infected system. It is a requirement to perform disinfection from pure DOS. ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/ After deletion/renaming of worm components the dropped RC5 client (DNETC.EXE file) should be manually removed from a system as FSAV does not do this automatically.
Note: When worm components are removed, Windows might start to complain about missing files at startup. In this case you have to manually edit WIN.INI file and remove worm's execution string after LOAD= tag in [Boot] section.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Variant:Bymer.A
This worm is a PE executable (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory:
WININIT.EXE - worm's body 22016 bytes long DNETC.EXE - Distributed Net RC5 client 186188 bytes long DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file:
[windows] load=C:\WINDOWS\SYSTEM\WININIT.EXE
This will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers.
Variant:Bymer.B
This worm is a PE executable too (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote machine's \Windows\Start Menu\Programs\StartUp\ and \Windows\System\ directories:
MSxxx.EXE - worm component 22016 bytes long (size and filename varies slightly) MSCLIENT.EXE - worm component 4096 bytes long INFO.DLL - text file log of other infected computers DNETC.EXE - Distributed Net RC5 client 186188 bytes DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \WINDOWS\WIN.INI file:
[windows] load=c:\windows\system\msxxx.exe
This will enable autostarting of the worm during all Windows sessions. When any of two worm components is executed, the following data is entered into the registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] MSINIT=c:\windows\system\msxxx.exe
The filename MSxxx.EXE may vary.
When the worm executes the RC5 client in hidden mode, it also modifies Registry to start the client every time Windows starts.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.