W32/Randon-AC is a multi-component network worm which attempts to spread by copying components of itself to and executing them on remote IPC$ shares with weak passwords. One component of the worm, POWARC.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\POWARC860.EXE. The worm also allows unauthorised remote access to the computer via IRC channels.
The main file is a self-extracting EXE which creates a folder called POWERARC80 within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files, e.g.:
- POWARC.EXE downloads and executes copies of the worm from the internet
- B1SH is a configuration file
- CONFIG.INI is a configuration INI file
- CONSTR is a TXT file containing a list of passwords
- F.F is a TXT file containing ranges of IP addresses
- HKO.EXE is a legitimate networking utility called PSEXEC
- HUST is an INI file which allows unauthorised remote access to the computer via IRC channels
- MATH.EXE is a legitimate utility called HIDEWINDOW
- MORT.EXE is a legitimate utility called HIDERUN
- MT.EXE is a legitimate utility called PRCVIEW
- PLUGED.EXE is a legitmate mIRC client
- Q8H3LLTM is a configuration INI file
- R.BAT attempts to copy the worm to network shares and execute it using PSEXEC
- R.R is a TXT file containing ranges of IP addresses
- RETA.BAT is used to give certain files hidden, system and read-only attributes
- TOTAL.EXE is a legitimate utility called HIDEWINDOW
- VHOST.EXE is a legitimate networking utility called XSCAN
- 090-NTPASS.XPN is a legitimate DLL plugin for XSCAN
- X-SCANCFG.INI is an innocuous TXT file
W32/Randon-AC creates an entry in the following registry key to run PLUGED.EXE on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run