North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: New Worm

  • From: Roeland Meyer
  • Date: Fri Sep 14 12:25:16 2001

Strange that this one resurfaces just after we discussed Win shares t'other
day.

-----Original Message-----
From: Hire, Ejay [mailto:[email protected]]
Sent: Friday, September 14, 2001 8:25 AM
To: [email protected]
Subject: RE: New Worm


I was in error.  This is not a new worm.  Just an old one that won't die.
http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html

Apologies.

-----Original Message-----
From: Ejay Hire [mailto:[email protected]]
Sent: Friday, September 14, 2001 12:04 PM
To: [email protected]
Subject: New Worm


My Honeypot was infected with a new self-replicating worm yesterday.  It
appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the
distributed.net client (In quiet Mode).  Upon reboot, the scanner will start
and search for infectable hosts during periods of inactivity.  The windows
2000 pro pc seems unaffected.  I will make the files available for
dis-assembly if anyone is interested.

To check for infection, look for the following files in c:/windows/system

wininit.exe  --Application
wininit.log  --Apparent Log file
info.dll   --Apparent Log file
dnetc.exe  --  Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...