dnetc.exe
- Onderwerp starter Hertogjan
- Startdatum
- Status
Je hebt een virus.
Lees het volgende.
Solutions
Virus Info
How to Buy
Downloads
Support
News
Corporate
Partners
F-Secure Virus Descriptions : Bymer
NAME: Bymer
ALIAS: Worm_Bymer_a, Worm.Bymer, Worm.RC5
During autumn 2000 there appeared 2 worms that drop RC5 clients on computers they infect. Below you can find descriptions of both of these worms.
VARIANT: Bymer.A
This worm is a PE executable (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory:
WININIT.EXE - worm's body 22016 bytes long
DNETC.EXE - Distributed Net RC5 client 186188 bytes long
DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file:
[windows]
load=C:\WINDOWS\SYSTEM\WININIT.EXE
This will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers.
VARIANT: Bymer.B
This worm is a PE executable too (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote machine's \Windows\Start Menu\Programs\StartUp\ and \Windows\System\ directories:
MSxxx.EXE - worm component 22016 bytes long (size and filename varies slightly)
MSCLIENT.EXE - worm component 4096 bytes long
INFO.DLL - text file log of other infected computers
DNETC.EXE - Distributed Net RC5 client 186188 bytes
DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \WINDOWS\WIN.INI file:
[windows]
load=c:\windows\system\msxxx.exe
This will enable autostarting of the worm during all Windows sessions. When any of two worm components is executed, the following data is entered into the registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
MSINIT=c:\windows\system\msxxx.exe
The filename MSxxx.EXE may vary.
When the worm executes the RC5 client in hidden mode, it also modifies Registry to start the client every time Windows starts.
Bymer worm variants can be successfully disinfected with a fresh version of FSAV and the latest updates for it.
http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml
Note that worm's file(s) might be locked while Windows is active and older versions of FSAV for Windows might not be able to remove it. In this case you can exit to DOS and remove the worm's file(s) manually.
You can also use a free version of F-Prot for DOS to remove Bymer worm from an infected system. It is a requirement to perform disinfection from pure DOS.
ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
After deletion/renaming of worm components the dropped RC5 client (DNETC.EXE file) should be manually removed from a system as FSAV does not do this automatically.
Note: When worm components are removed, Windows might start to complain about missing files at startup. In this case you have to manually edit WIN.INI file and remove worm's execution string after LOAD= tag in [Boot] section.
[Analysis: Kaspersky Labs, F-Secure Corp.; October 2000 - January 2001]
Description Index Select from the list A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 Other Latest 50
Virus Info
Virus News
Virus Descriptions
Hoax Descriptions
Virus Screen Shots
Virus Glossary
Avoiding Computer Worms
Viruses in the Wild
LanguagesEnglishSuomiSvenskaDeutschFrançaisJapanese
Lees het volgende.
Solutions
Virus Info
How to Buy
Downloads
Support
News
Corporate
Partners
F-Secure Virus Descriptions : Bymer
NAME: Bymer
ALIAS: Worm_Bymer_a, Worm.Bymer, Worm.RC5
During autumn 2000 there appeared 2 worms that drop RC5 clients on computers they infect. Below you can find descriptions of both of these worms.
VARIANT: Bymer.A
This worm is a PE executable (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote computer's \Windows\System\ directory:
WININIT.EXE - worm's body 22016 bytes long
DNETC.EXE - Distributed Net RC5 client 186188 bytes long
DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \Windows\WIN.INI file:
[windows]
load=C:\WINDOWS\SYSTEM\WININIT.EXE
This will enable autostarting of the worm during all Windows sessions. After rebooting on the the infected computer, the worm (WININIT.EXE) file executes RC5 client (DNETC.EXE) in hidden mode and continues to infect other computers.
VARIANT: Bymer.B
This worm is a PE executable too (Win32 application). It infects Win9x machines with open file shares. This worm tries to locate a victim computer by randomly selecting an arbitrary IP address and attempting to connect to 'C' file share on that machine. If it is successful in accessing that shared resource, it will copy several files into the remote machine's \Windows\Start Menu\Programs\StartUp\ and \Windows\System\ directories:
MSxxx.EXE - worm component 22016 bytes long (size and filename varies slightly)
MSCLIENT.EXE - worm component 4096 bytes long
INFO.DLL - text file log of other infected computers
DNETC.EXE - Distributed Net RC5 client 186188 bytes
DNETC.INI - INI-file with settings for RC5 client
Additionally, the following line may be added to the remote computer's \WINDOWS\WIN.INI file:
[windows]
load=c:\windows\system\msxxx.exe
This will enable autostarting of the worm during all Windows sessions. When any of two worm components is executed, the following data is entered into the registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
MSINIT=c:\windows\system\msxxx.exe
The filename MSxxx.EXE may vary.
When the worm executes the RC5 client in hidden mode, it also modifies Registry to start the client every time Windows starts.
Bymer worm variants can be successfully disinfected with a fresh version of FSAV and the latest updates for it.
http://www.europe.f-secure.com/download-purchase/ http://www.europe.f-secure.com/download-purchase/updates.shtml
Note that worm's file(s) might be locked while Windows is active and older versions of FSAV for Windows might not be able to remove it. In this case you can exit to DOS and remove the worm's file(s) manually.
You can also use a free version of F-Prot for DOS to remove Bymer worm from an infected system. It is a requirement to perform disinfection from pure DOS.
ftp://ftp.europe.F-Secure.com/anti-virus/free/ ftp://ftp.europe.F-Secure.com/anti-virus/updates/f-prot/dos/
After deletion/renaming of worm components the dropped RC5 client (DNETC.EXE file) should be manually removed from a system as FSAV does not do this automatically.
Note: When worm components are removed, Windows might start to complain about missing files at startup. In this case you have to manually edit WIN.INI file and remove worm's execution string after LOAD= tag in [Boot] section.
[Analysis: Kaspersky Labs, F-Secure Corp.; October 2000 - January 2001]
Description Index Select from the list A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 Other Latest 50
Virus Info
Virus News
Virus Descriptions
Hoax Descriptions
Virus Screen Shots
Virus Glossary
Avoiding Computer Worms
Viruses in the Wild
LanguagesEnglishSuomiSvenskaDeutschFrançaisJapanese
Kleinkramer
Inventaris
- Lid geworden
- 8 sep 2000
- Berichten
- 18.021
Het kan met een virus te maken hebben, maar het hoeft niet. Met het bestand zelf is namelijk op zichzelf niets mis.
Lees ook dit:
http://www.distributed.net//trojans.php.en
Om het zeker te weten zou ik even on line laten scannen bij Trend Micro HouseCall or Panda Active Scan
En doe het volgende:
Ga naar http://tomcoyote.org/hjt/ , en download daar 'Hijack This'.
Uitpakken, en vervolgens dubbelklikken op HijackThis.exe.
Klik op "Scan", en vervolgens op "Save Log File" , en post vervolgens de inhoud van die log hier.
Laat Hijack This niets fixen vóórdat je ons die log hebt laten zien, want het meeste mag absoluut niet weg!
Lees ook dit:
http://www.distributed.net//trojans.php.en
Om het zeker te weten zou ik even on line laten scannen bij Trend Micro HouseCall or Panda Active Scan
En doe het volgende:
Ga naar http://tomcoyote.org/hjt/ , en download daar 'Hijack This'.
Uitpakken, en vervolgens dubbelklikken op HijackThis.exe.
Klik op "Scan", en vervolgens op "Save Log File" , en post vervolgens de inhoud van die log hier.
Laat Hijack This niets fixen vóórdat je ons die log hebt laten zien, want het meeste mag absoluut niet weg!
- Status
