Author: Dan Newman
Date: 11:17:13 11/12/00
Go up one level in this thread
On November 12, 2000 at 08:48:50, Frederic Friedel wrote: >I have received the following warning from a colleague. He is extremely >computer literate, so we can be sure this is not a hoax. However I can find >nothing about this or the "Bymer" virus. Does anyone know more? > I got this one (or a variant of it) a month or so ago. The first clue I had was the multiple attempted logons. Then later I noticed a process, DNETC.exe, that was consuming a rather large amount of cpu time. I killed it, looked inside the executable, and found an http address there for distributed.net. The DNETC.exe program is their distributed computing client and has been used without their permission by the worm makers. The distributed.net site has a program for removing the worm, btw. (Apparently, this is technically a worm rather than a virus, but I suppose one component of this worm may be a virus itself.) You get this worm by turning on drive sharing. I'd done this for easy access on my LAN, but didn't realize that the drive was also accessible via the internet--or at least I figured with dynamic IP addresses that I was fairly safe... The worm apparently generates "random" IP addresses and when it finds one that's real it attempts to access the C drive. When it finds one that's open (no password protection), it then copies itself (several files) into various locations, modifies the registry and so forth. I have no idea what its purpose is, but it seems like it might be someone's attempt to steal cpu cycles--given the distributed computing client... I got no retaliatory action from deleting the wininit.exe or dnetc.exe files. (Actually, I renamed them first just in case they were important system files.) The thing seemed fairly benign except for all the hassle. (The worst part about it is I now have Norton antivirus on my system which iself seems very virus like :).) -Dan. >------------------ >Dear Fred, > >I have been attacked by a nasty Internet virus. I am not sure where it came >from. It seems to be a version of the Bymer virus. > >You catch it via the Internet. The most obvious symptom is that your computer >keeps trying to log on to the Internet (if you have it set up to log on without >manual confirmation, then bad luck). > >Examination of the registry revealed an odd entry referring to a file >wininit.exe, which was set to load at Start-Up (note that this does not appear >in the Start-Up folder, only in the registry). > >I went to the Start-Up diagnostics in System Information and found an alien >entry there, again referring to wininit.exe. I removed this entry, but this did >not cure the problem. Going to the diagnostics again revealed that the virus had >replaced its entry there. I then manually deleted wininit.exe and a few others >files which seemed to be activated by it. The virus didn't like this and took >retaliatory action. When I rebooted the computer I got to 'Starting Windows >98...' and an instant later the screen filled with gibberish and the power to >the computer went off (aren't these software-controlled power switches >wonderful). The next problem is that pressing the on-off switch didn't restart >the computer - I actually had to unplug it from the wall! It was even impossible >to boot into safe mode as the power cut-off came first. > >Finally, I rebooted the computer from a floppy, reinstalled Windows and now >everything seems OK. I have just ordered some firewall software.
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.