Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.


Threat LevelModerate threat
DistributionNot widespread


Bymer has been programmed to spread to other computers through networks.

Infection strategy 

Bymer follows the infection routine below:

  • It searches for IP addresses at random.
  • When it finds an IP address that allows access to the  C: drive of a computer, the virus copies itself to the Windows/System directory under the following name: WININIT.EXE.
  • Bymer will not spread to computers where the Windows/System directory does not exist (for example computers running under Windows NT, Windows 2000, etc.).

Bymer creates the following files:

  • DNETC.EXE and DNETC.INI, which are part of the RC5 application (distributed client process), not of the worm. Although Bymer installs these files, they are not part of it, which means that these files are not dangerous.

Bymer modifies the following file:

  • WIN.INI, to which it adds the following value:
    When the infected computer is restarted, Bymer deletes the value it inserted in the  WIN.INI file and creates the following entries in the Windows Registry:
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run bymer.scanner = "c:\ windows\ system\ wininit.exe"
    By modifying this entry, Bymer ensures it is run every time the computer is started up.
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices "C:\ WINDOWS\ SYSTEM\ dnetc.exe" -hide""
    With this entry, Bymer ensures the RC5 application is run without the user realizing.

Means of transmission 

Bymer mainly spreads through computer networks using TCP/IP connections.