Bymer spreads through open network shares

This worm will scan for open NetBIOS ports across local networks or over the Internet, looking for Windows/Systems folders to infect

Bymer (alias Msinit and Wininit) is a sophisticated Internet worm that infects computers without its users even knowing it. Bymer does not arrive as an email with an infected attachment -- rather, this new worm randomly selects IP addresses to search for computers on a network or over the Internet with open share capabilities of NetBIOS.

Bymer is one of a handful of new Trojan horses that also installs Distributed.net client software, which is a legitimate encryption and decryption software product, and is not responsible for the Bymer worm.

This worm was discovered in the early fall of 2000, but several US antivirus companies have reported a recent increase in infections within the last few weeks. Bymer currently ranks as a 6 on the ZDNet virus meter.

Bymer does not arrive as an email. This worm randomly chooses IP addresses to search for Windows-based computers with an open share C: drive. It will then install several files to the Windows/System folder. Upon restarting the computer, infected users may notice a slowing of system resources as their computer begins searching for more IP addresses to infect. There are reports of this worm disabling the infected computer's ability to "see" other computers on a local network.

Bymer is a stubborn worm. For example, if only the Registry entry for the Trojan is been removed, the Trojan will recreate the entry the next time the computer is booted. Symantec has step-by-step removal instructions here.

Take me to the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.