W32.Randex.C

Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Symantec:


    "W32.Randex.C is a network-aware worm that will copy itself as the following files:

    Admin$system32msmonk32.exe
    c$winntsystem32msmonk32.exe

    The worm will receive instructions from an IRC channel on a specific IRC server. One such command will trigger the aforementioned spreading.



    Type: Worm
    Infection Length: 40,960 bytes
    Systems Affected: Windows NT, Windows 2000, Windows XP
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux


    When W32.Randex.B is executed, it does the following:


    Copies itself as %System%gesfm32.exe.

    NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


    Caclulates a random IP address for a computer to infect.


    Attempts to authenticate itself to the aforementioned randomly-generated IP addresses using one of the following passwords:
    <blank>
    admin
    root
    1
    111
    123
    1234
    123456
    654321
    !@#$
    asdf
    asdfgh
    !@#$%
    !@#$%^
    !@#$%^&
    !@#$%^&*
    server


    Copies itself to computers, which have weak administrator passwords, as the following:
    <authenticated IP>Admin$system32msmonk32.exe
    <authenticated IP>c$winntsystem32msmonk32.exe


    Schedules a Network Job to run the worm.


    Adds the value:

    "Microsoft Netview"="%System%gesfm32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    so that the worm runs when you start Windows.


    Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
    ntscan: Performs the scan for the computers with weak administrator passwords and copies itself to said machines.
    syn: Performs a syn flood attack with a data size of 55808 bytes.
    sysinfo: Retrieves the infected machine's information, such as CPU speed, memory, and so on."

    For more information: http://www.symantec.com/avcenter/

    Regards, Jade :).
     
Thread Status:
Not open for further replies.