Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Slanper.worm [McAfee], W32/Slanper-A [Sophos], Worm.Win32.Randex.d [KAV]
Type:Worm 
Size:32,256 Bytes, 13,824 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads over shared networks. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionWorm/Randex.D tries to copy itsel into administrative archives with weak passwords.

Technical DetailsWhen activated, Worm/Randex tries to connect to other computers, using random IP addresses. The worm tries to contact every computer user, using the following passwords:
admin
root
1
111
123
1234
123456
654321
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
server

It makes one of the following autostart entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"mssyslanhelper"="msmsgri32.exe"
"mslanhelper"="msmsgri32.exe"

The backdoor Trojan makes the autostart entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "System Initialization"="payload.dat"
The Torjan listens on TCP ports 3330, 3331 and 3332 for further instructions.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .