English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Randex.G
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Randex.G - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Randex.G
Date discovered:
22/07/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium to high
Static file:
Yes
File size:
73.728 Bytes
MD5 checksum:
45A3312349D9F2FB03A5B53DDD9C76CE
VDF version:
6.22.0.14
General
Method of propagation:
• Local network
Aliases:
• Kaspersky: Worm.Win32.Randex.g
• TrendMicro: WORM_RANDEX.F
• F-Secure: W32/Sdbot.AU
• Sophos: W32/Randex-G
• Grisoft: Worm/Randex.G
• VirusBuster: Worm.Win32.Randex.M
• Bitdefender: Win32.Randex.G
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\netd32.exe
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Network Daemon for Win32"="netd32.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• "Microsoft Network Daemon for Win32"="netd32.exe"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• \C$\WINNT\system32\
• \ADMIN$\system32\
It uses the following login information in order to gain access to the remote machine:
– The following username:
• administrator
– The following list of passwords:
•
• administrator
• password
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: security**********.not.an.attack.ladyofthe.net
Port: 8087-8090
Channel: #zb04
Nickname:
%random%
Server: security**********.not.an.attack.gamerzirc.net
Port: 8087-8090
Channel: #zb04
Nickname:
%random%
– This malware has the ability to collect and send information such as:
• CPU speed
• Current user
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Size of memory
• Username
– Furthermore it has the ability to perform actions such as:
• connect to IRC server
• Launch DDoS SYN flood
• disconnect from IRC server
• Download file
• Execute file
• Join IRC channel
• Leave IRC channel
• Perform DDoS attack
Stealing
It tries to steal the following information:
– The following CD keys:
• Generals
• Battlefield 1942 The Road to Rome
• Battlefield 1942
• UT2003
• Half-Life
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Andrei Gherman on Mon, 01 Aug 2005 23:00 (GMT+1)
Description updated by Andrei Gherman on Mon, 29 Aug 2005 10:37 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Randex.G
Print this page
.gif)
