MSInit
Threat LevelDamageDistribution

Effects 

The effects of MSInit are not destructive.

MSInit has the following effects:

• It installs the program DNETC, which is a distributed process service.
• It spreads to other computers across networks.

Infection strategy 

MSInit creates the files DNETC.EXE and DNETC.INI, which are part of the RC5 application (distributed client process), not of the worm. Although MSInit installs these files, they are not part of it, which means that these files are not dangerous.

MSInit modifies the file WIN.INI, to which it adds the following value:
[windows]
load=C:\ WINDOWS\ SYSTEM\ WININIT.EXE

When the affected computer is restarted, MSInit deletes the value inserted in the file WIN.INI and creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  bymer.scanner = c:\ windows\ system\ wininit.exe
  By modifying this entry, MSInit ensures it is run whenever the computer is started up.
• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices distributed.net.client = C:\ WINDOWS\ SYSTEM\ dnetc.exe" -hide"
  By creating this entry, MSInit ensures the RC5 application is run without the user realizing.

Means of transmission 

MSInit mainly spreads through computer networks using TCP/IP connections. In order to do so, it follows the routine below:

• It searches for IP addresses at random.
• When it finds an IP address that allows access to the C: drive of a computer, the worm copies itself to the Windows/System directory under the name WININIT.EXE.
• MSInit will not spread to computers where the Windows/System directory does not exist (for example computers running under Windows NT, Windows 2000, etc.).