Hello everybody.
Not long after I hooked up to the internet with my DSL connection, I
suffered a
security breach due to a persistant internet worm. Here is some info on what
I
found out about it through removing it from my system:
"Bymer" worm/backdoor program info:
- Infects "Shared Folders" in Win 9x local area networks.
- Looks for vulnerabilities in internet-connected LANs due
to file sharing and lack of passwords for shared resources.
- "Drops" a copy of the DNETC.EXE client, a legitimate program
used by the Distributed.net organization, who with internet
user's permission uses it to share all the members of
Distributed.net's computer resources at once; in effect
allowing their members to have access to the "world's biggest
computer".
- Creates WININIT.EXE in the C:\Windows\System directory as a
backdoor to provide remote access & control of your computer
by the user of the DNETC.EXE client.
Solution:
- Run virus scan to clean the worm from your system.
- Go to http://www.distributed.net/trojans.html.en and download
their "Wormfree" utility. Run the program; it will likely find
several files in the C:\Windows\System directory and prompt
you for a decision as to whether you want to delete them. If you
do not want to delete them, then you should move/rename them.
- Disable file sharing on the drives it prompts you to to prevent
further invulnerabilities. If you need to keep file sharing, set
a password for access to your shared drives.
- Run the virus scan again, just to make sure you caught everything.
- Check your computer's registry (regedit.exe) under HKEY_LOCAL MACHINE\
Software\Microsoft\Current Version\Run and check your WIN.INI file to
make sure there are no references to WININIT.EXE. If you find such
references, delete them. Also delete any registry references to
"Distributed Computing" or "DNETC.EXE"
WORMFREE.EXE found the following files in my C:\Windows\System
directory and identified them as being the result of a worm:
DNETC.EXE (Distributed.Net client)
DNETC.INI (Included the address: "[EMAIL PROTECTED])
buff-in.rc5 (not certain as to purpose)
buff-in.ogr ( "" "" )
WININIT.EXE (Found previously by F-Prot antivirus;
recognized as a "Backdoor" program)
WININIT.LOG
Other worms do a similar thing to the Bymer worm. One uses Window's
NOTEPAD.EXE to disguise itself. If you find a file called NOTE.COM
on your hard drive, you've likely got that form of worm. The worm
in that case re-names NOTEPAD.EXE to NOTE.COM, and renames itself
to NOTEPAD.EXE.
Final note: WININIT.EXE if found in the C:\Windows directory is a
legitimate and /necessary/ file, needed for installing new programs.
** DO NOT ** remove this copy of the file, ONLY remove the one in
C:\Windows\System.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16451&t=16451
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
