Subscribe0 0
This program is a PE EXE worm (Win32 application). It infects Win9x machines with open file shares. This worm propagates by randomly selecting an arbitrary IP address and attempting to connect to the "C" file share on that machine. If it is successful in accessing that share, it will copy several files into the remote machine's "\WINDOWS\Start Menu\Programs\StartUp\" and "\WINDOWS\SYSTEM\" directories:
MSxxx.EXE ~22016 bytes (size and filename varies slightly)
MSCLIENT.EXE 4096 bytes
INFO.DLL (text file log of other infected computers)
DNETC.EXE 186188 bytes (RC5 client)
DNETC.INI (containing the email address bymer@inec.kiev.ua)
Additionally, as a part of the infection, the following line may be added to the remote computer's \WINDOWS\WIN.INI file:
[windows]
load=c:\windows\system\msxxx.exe
Once either of the first two EXEs have executed once, under the registry key, the following registry value may be added:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
MSINIT=c:\windows\system\msxxx.exe (filename varies)
The filename MSxxx.EXE varies.
Since the worm also executes "dnetc.exe -hide -install", there will also be the addition of another registry value to automatically start the client as well.
Hot Articles