MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

What is a computer virus?

Alert: Computer Virus Outbreaks

AVG Alternative Update URL

AVG Anti-Virus 7 FE

AVG Anti-Virus 7.5

AVG Email Server Edition

AVG File Server Edition

How to - Avoid Getting Infected

How to - Disabling System Restore

How to - Put Windows in Safe Mode

MAC OS X Anti-Virus

Removal of Trojan

Removing File Locked by OS

Stop the virus Ping-Pong

The real thing !

Viruses: Email-borne

Viruses: On-line Scanners
Home » Virus Protection » Alert: Computer Virus Outbreaks » 

Randex Computer Virus

AKA: W32.Sluter.B, Randex.Worm, Backdoor.Sdbot.gen

Randex is a modified variant of Sluter worm, spreads using network shares.  Sluter worm scans for IP addresses and infects systems with weak password or no password.   It has a backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels. This network of zombie PCs can be used to distribute spam or as a platform to launch DDoS attacks.

When executed, Sluter.B copies to Windows System folder as NETD32.EXE [ Example C:\WINNT\SYSTEM32\NETD32.EXE ]. Then it modifies the registry RUN section to load automatically. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft Network Daemon for Win32" = "netd32.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
"Microsoft Network Daemon for Win32" = "netd32.exe"

The worm connects to IRC channel and allows full  access to the infected system. Using this backdoor facility, hackers can steal data from the infected systems.   It attempts to connect to a remote IRC server (the IP address of which is stored in the worm), and connect to an IRC channel (to await commands). These commands include:

  • update
  • clone
  • download
  • ntscan/ntstop - initiate scanning for remote machines to infect
  • syn - issue syn flood attack, (TCP SYN packets - window size setting 55808 bytes)
  • sysinfo - retrieve system information (eg. information concerning CPU, dial-up, OS etc)

Upon the appropriate remote command (via IRC) the worm attempts to connect to remote machines, taking advantage of machines with weak passwords. Remote machines are targeted by a randomly generated IP address.  The following passwords are used by the worm:

  • server
  • !@#$%^&*
  • !@#$%^&
  • !@#$%^
  • !@#$%
  • asdfgh
  • asdf
  • !@#$
  • 654321
  • 123456
  • 1234
  • 123
  • 111
  • 1
  • root
  • admin

If successful, the worm copies itself to the remote machine as MSMONK32.EXE to the following locations:

  • \C$\WINNT\SYSTEM32\MSMONK32.EXE
  • \ADMIN$\SYSTEM32\MSMONK32.EXE

To run the worm, a job is scheduled on the remote machine - this is reliant upon the schedule service running on the target machine..

Randex in the News

A 16 year-old youth has been charged with writing and distributing the damaging computer worm Randex - Mississauga, near Toronto, Canada.

 

commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.