W32/Bymer-A

Please follow the instructions for removing worms.

Run a scan in Sophos Anti-Virus and remove all files infected with W32/Bymer-A. Make a note of the names of the files.

Open Win.ini and search for the 'load=' line. If this line refers to any of the files you deleted remove that entry (the reference to the file, not the whole line).

Open the Registry - at the Windows taskbar, select Start|Run. Type in "Regedit" and press return. The registry editor will open.

Before you edit the registry, it is recommended you make a backup. To do this, in the Registry menu, click on Export Registry File, in Export Range select All, then save your registry as Backup.

Locate the key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete any value referring to any of the files deleted above. There may not be such a reference. Close Registry Editor and restart your computer.

Delete dnetc.exe from the Windows system folder if it has not been installed legitimately.

W32/Bymer-A is a worm that propagates through open file shares.

The worm tries IP addresses at random. If it finds a machine with a share called "C", it will infect the machine by copying files to the Windows and Windows system directories.

The worm may set the load= line in win.ini or a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices to run the worm on system startup.

The worm also secretly installs a distributed.net program dnetc.exe in the Windows system folder.

Please note: dnetc.exe is legitimate software that may have been installed with permission.