From Symantec: "W32.Randex.C is a network-aware worm that will copy itself as the following files: Admin$system32msmonk32.exe c$winntsystem32msmonk32.exe The worm will receive instructions from an IRC channel on a specific IRC server. One such command will trigger the aforementioned spreading. Type: Worm Infection Length: 40,960 bytes Systems Affected: Windows NT, Windows 2000, Windows XP Systems Not Affected: Macintosh, OS/2, UNIX, Linux When W32.Randex.B is executed, it does the following: Copies itself as %System%gesfm32.exe. NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Caclulates a random IP address for a computer to infect. Attempts to authenticate itself to the aforementioned randomly-generated IP addresses using one of the following passwords: <blank> admin root 1 111 123 1234 123456 654321 !@#$ asdf asdfgh !@#$% !@#$%^ !@#$%^& !@#$%^&* server Copies itself to computers, which have weak administrator passwords, as the following: <authenticated IP>Admin$system32msmonk32.exe <authenticated IP>c$winntsystem32msmonk32.exe Schedules a Network Job to run the worm. Adds the value: "Microsoft Netview"="%System%gesfm32.exe" to the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun so that the worm runs when you start Windows. Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as: ntscan: Performs the scan for the computers with weak administrator passwords and copies itself to said machines. syn: Performs a syn flood attack with a data size of 55808 bytes. sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on." For more information: http://www.symantec.com/avcenter/ Regards, Jade .