W32.Randex.C

Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Symantec:


    "W32.Randex.C is a network-aware worm that will copy itself as the following files:

    Admin$system32msmonk32.exe
    c$winntsystem32msmonk32.exe

    The worm will receive instructions from an IRC channel on a specific IRC server. One such command will trigger the aforementioned spreading.



    Type: Worm
    Infection Length: 40,960 bytes
    Systems Affected: Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux


    When W32.Randex.B is executed, it does the following:


    Copies itself as %System%gesfm32.exe.

    NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


    Caclulates a random IP address for a computer to infect.


    Attempts to authenticate itself to the aforementioned randomly-generated IP addresses using one of the following passwords:
    <blank>
    admin
    root
    1
    111
    123
    1234
    123456
    654321
    !@#$
    asdf
    asdfgh
    !@#$%
    !@#$%^
    !@#$%^&
    !@#$%^&*
    server


    Copies itself to computers, which have weak administrator passwords, as the following:
    <authenticated IP>Admin$system32msmonk32.exe
    <authenticated IP>c$winntsystem32msmonk32.exe


    Schedules a Network Job to run the worm.


    Adds the value:

    "Microsoft Netview"="%System%gesfm32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    so that the worm runs when you start Windows.


    Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
    ntscan: Performs the scan for the computers with weak administrator passwords and copies itself to said machines.
    syn: Performs a syn flood attack with a data size of 55808 bytes.
    sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on."

    For more information: http://www.symantec.com/avcenter/

    Regards, Jade :).
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.