Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Bymer virus

Bymer virus

Bymer virus

I hope that someone can help me with a recurring virus problem. When I am on the internet I am told by Norton Antivirus once every week or so that the W32.HLLW.Bymer virus has been found. I elect to remove it and my Norton log says "C:\WINDOWS\SYSTEM\wininit.exe
was infected with the W32.HLLW.Bymer virus.
The file was deleted"
First question: I understand that the virus is spread by other computers on the internet searching randomly for open IP addresses. My pc has only TCP/IP dail-up protocol loaded with no IP address assigned to the pc. Is the virus coming to me from my on-line connection?

Also, I understand that the virus causes networked pc's to not be able to see other mapped drives. I am not able to see the other networked pc in my home office. It does not show up in network neighborhood but that other pc is able to see the mapped drives on the "Bymer virus pc". I have run the Trend Micro Bymer removal tool and it says that I am not infected. I assume this is because Norton had deleted the WININIT.EXE file from windows/system before it sets up.

Finally, I read that the Bymer virus sits on your pc and searches the internet for open IP's to spread to without your knowing it. I have had problems with my dialup connection for a couple of months since I got my first Bymer message from Norton. My symptom is that I will be browsing web sites and suddenly my connection will temporarily stop. I do not lose the connection but the bytes sent and received just stop. Then 30-60 seconds later they will resume and the page will display normally or everything will eventually slow down to untolerable speeds. The phone company has checked my lines and my ISP has given up trying to figure out why my connection pauses. Could this be the Bymer virus looking for open IP's at that time?

Can anyone put all of this together and tell me what might be going on with these regular Bymer messages from Norton, the lost network drives and the internet dialup pausing. It's driving me crazy.

RE: Bymer virus

The following is from my Sophos library:

This is a worm that propagates through open file shares. It tries IP addresses at random and if it finds a share called "C" it will copy itself to the Windows system folder. It may set the load= line in win.ini or a registry key in HKLM\Microsoft\Windows\CurrentVersion\RunServices to run the worm on system startup.
It will also secretly install a distributed.net program dnetc.exe in the Windows system folder, but note that this is legitimate software that may have been installed with permission.

First reported in October 2000.


Perform a secure bootstrap from a clean system disk with the same version of the operating system as the one installed on the hard disk.

It sounds like your either your distributed.net or dnetc.exe files are infected.

James P. Cottingham

RE: Bymer virus

Here is the information from http://www.mcafee.com:

Name: W32/Msinit

W32/Msinit has been seen with the filenames, "MSINIT.EXE" and MS*.EXE [where * represents the first segment of the victim's IP subnet, ie. MS216.EXE]. This worm spreads through open network shares like the VBS/Netlog worm. It scans random IP address over NetBIOS for computers that have shares named "C" and a Windows folder called "Windows". When it finds one, it copies itself and the files "dnetc.exe" and "dnetc.ini" to the "c:\windows\system" folder of the remote computer. The file "dnetc.exe" is an encryption-cracking program from www.distributed.net, which is not the author of this worm. The samples received by AVERT are packed with the UPX file-compression utility.

Other than that, I haven't heard of this one...

Terry M. Hoey
While I don't mind e-mail messages, please post all questions in these forums for the benefit of all members.

RE: Bymer virus

I am also suffering from the same symptoms described by mmherder.  It is most annoying because I have already run a clean boot and have manually deleted all the files associated with the virus and its dissemination.  In addition, I have chosen to delete the file every time Norton 2001 finds an infection and I have altered win.ini many, many times.  I have also run utilities to kill this thing.  Still, no permanent solution.

I also have a dynamic IP address because I am using a dial-up.  It seems to me (and I do not consider myself to be a guru on this) that there must be a program residing in the host computer (mine) that resets the virus periodically.  What I would like to do is set up something to track changes in my win.ini, so that I will know what program is attempting to modify it (and when).  Is there such a utility?  If you know of any, please respond to this forum.

Thank you for your help.

Edward R. Valdes

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close