Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Randex.R

Overview

Threat Risk NONE NONE
Destructivity MEDIUM MEDIUM
Payload Backdoor functionality
Detection files published 16 Oct 2003 03:00:00
Description created 28 Jan 2004 06:11:00
Description updated 28 Jan 2004 06:47:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Randex.R

Spreading

Randex starts by deleting netstat.exe from the %SYSTEM% directory. Next, it copies itself to the %SYSTEM% directory as either “metalrock-is-gay.exe" or “musirc4.71.exe", and depending on the name of the executable it will create the following registry values to ensure it is started with Windows.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MeTaLRoCk (irc.musirc.com) has sex with printers" = “metalrock-is-gay.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MeTaLRoCk (irc.musirc.com) has sex with printers" = “metalrock-is-gay.exe
Or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MusIRC (irc.musirc.com) client = "musirc4.71.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MusIRC (irc.musirc.com) client = "musirc4.71.exe"

To infect NT based machines Randex creates a random IP address and then verifies that the machine is capable of being infected. It then attempts to copy itself to:

\\(RANDOM_IP)\ADMIN$\system32\musirc4.71.exe
\\(RANDOM_IP)\C$\system32\musirc4.71.exe
Finally, Randex schedules a network job to launch the executable on the remote share.

Payload Details

Randex then starts the backdoor functionality, which connects to an IRC server and waits for commands. Depending on the command that Randex receives it will perform one of the following tasks: Perform a DOS attack using either SYN floods, UDP packets or pings. Update itself. Send brief details of the machine to the attacker. (CPU details, memory statistics or running thread information) Join another IRC channel, change its NICK or logout of the channel. Launch executables. Attempt to infect NT based machines.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11