W32.Randex.C

From Symantec:


"W32.Randex.C is a network-aware worm that will copy itself as the following files:

Admin$system32msmonk32.exe
c$winntsystem32msmonk32.exe

The worm will receive instructions from an IRC channel on a specific IRC server. One such command will trigger the aforementioned spreading.



Type: Worm
Infection Length: 40,960 bytes
Systems Affected: Windows NT, Windows 2000, Windows XP
Systems Not Affected: Macintosh, OS/2, UNIX, Linux


When W32.Randex.B is executed, it does the following:


Copies itself as %System%gesfm32.exe.

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Caclulates a random IP address for a computer to infect.


Attempts to authenticate itself to the aforementioned randomly-generated IP addresses using one of the following passwords:
<blank>
admin
root
1
111
123
1234
123456
654321
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
server


Copies itself to computers, which have weak administrator passwords, as the following:
<authenticated IP>Admin$system32msmonk32.exe
<authenticated IP>c$winntsystem32msmonk32.exe


Schedules a Network Job to run the worm.


Adds the value:

"Microsoft Netview"="%System%gesfm32.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs when you start Windows.


Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
ntscan: Performs the scan for the computers with weak administrator passwords and copies itself to said machines.
syn: Performs a syn flood attack with a data size of 55808 bytes.
sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on."

For more information: http://www.symantec.com/avcenter/

Regards, Jade .