Welcome to the Virus Encyclopedia of Panda Security.
Bymer has been programmed to spread to other computers through networks.
Bymer follows the infection routine below:
- It searches for IP addresses at random.
- When it finds an IP address that allows access to the C: drive of a computer, the virus copies itself to the Windows/System directory under the following name: WININIT.EXE.
- Bymer will not spread to computers where the Windows/System directory does not exist (for example computers running under Windows NT, Windows 2000, etc.).
Bymer creates the following files:
DNETC.EXE and DNETC.INI, which are part of the RC5 application (distributed client process), not of the worm. Although Bymer installs these files, they are not part of it, which means that these files are not dangerous.
Bymer modifies the following file:
- WIN.INI, to which it adds the following value:
load=C:\ WINDOWS\ SYSTEM\ WININIT.EXE
When the infected computer is restarted, Bymer deletes the value it inserted in the WIN.INI file and creates the following entries in the Windows Registry:
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run bymer.scanner = "c:\ windows\ system\ wininit.exe"
By modifying this entry, Bymer ensures it is run every time the computer is started up.
HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices distributed.net.client "C:\ WINDOWS\ SYSTEM\ dnetc.exe" -hide""
With this entry, Bymer ensures the RC5 application is run without the user realizing.
Means of transmission
Bymer mainly spreads through computer networks using TCP/IP connections.