W32/Randex-Q is a network worm with backdoor capabilities which allows a
remote intruder to access and control the computer via IRC channels.
W32/Randex-Q chooses IP addresses at random and tries to connect to
the IPC$ share using simple passwords. If the connection is sucessful the
worm attempts to copy itself to the following remote locations:
\c$\winnt\system32\musirc4.71.exe
\Admin$\system32\musirc4.71.exe
W32/Randex-Q then schedules a job to execute the remotely dropped files.
Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The worm then runs in the background as a server
process listening for commands to execute.
When first run the worm copies itself to Windows system folder as Musirc4.71.exe, metalrock.exe or metalrock-is-gay.exe and adds the pathname of this executable to a sub-key of the following registry entries so that the worm is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Example registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MusIRC (irc.musirc.com) client = musirc4.71.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MusIRC (irc.musirc.com) client = musirc4.71.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows MeTaLRoCk service = metalrock.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows MeTaLRoCk service = metalrock.exe