W32/Randex-Y is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels.
W32/Randex-Y chooses IP addresses at random and tries to connect to the IPC$ share using simple passwords. If the connection is successful the worm copies itself to the following remote locations:
\ADMIN$\system32\msnv32.exe
\C$\WINNT\system32\msnv32.exe
W32/Randex-Y then schedules a job to execute the remotely created files.
Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute.
When first run the worm copies itself to the Windows system folder as IRBMe.exe and adds the following registry entries to point to this copy of the worm to ensure it is run at system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IRBMe Sucks!!
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\IRBMe Sucks!!
W32/Randex-Y may also create the file remove.bat in the Windows temp folder. This file is not malicious and can simply be deleted.