W32/Randon-AL is a multi-component network worm which attempts to spread by copying components of itself over the network via poorly protected network shares.
W32/Randon-AL also allows unauthorised remote access to the computer via IRC channels.
The worm is initially installed on a system by a self extracting archive that creates a subfolder QSWS of the Windows system folder. The following files are added to this folder:
abo3ramconfit - configuration file
alte.exe - Troj/DcomTool-M
beird.exe - Troj/Mirchack-D
c.bat - batch file used to capture "Run" registry entries
cult.exe - clean utility called Prcview
cygwin1.dll - clean system file
dual.exp - mIRC ini file used by Troj/Mirchack-D
emoti.bat - batch file used to compromise poorly protected administrator network shares. This file is detected by this identity.
enotxa2.exe - W32/Rbot-PV
explorx.exe - Troj/RpcLsa-E
ger.exe - clean system utility
gt.x - configuration file
hosts - modified HOSTS file designed to prevent access to anti-virus websites
knlps.exe - system process application
knlps.sys - component of previous tool
ksat.bat - batch file component
medo.dl - text file, a list of likely passwords
ntcnsl.dll - component related to mIRC
orrl.exe - packet-sniffing application
repcale.exe - clean utility called Hidewindow
riqa - text file containing IP ranges
titlex.exe - clean utility called Psexec
w.e - configuration file
wshield.exe - hacked version of SlimFTPd server application
ymnz.exe - an adware application
zema - malicious batch file also detected by this identity.
When installed, the following registry entries are created in order to run
components of the worm on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DATABASE MySql =
"<Windows system folder>\qsws\repcale.exe <Windows system folder>\qsws\beird.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
DATABASE MySql =
"<Windows system folder>\qsws\repcale.exe <Windows system folder>\qsws\beird.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
DATABASE MySql =
"<Windows system folder>\qsws\repcale.exe <Windows system folder>\qsws\beird.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
DATABASE MySql =
"<Windows system folder>\qsws\repcale.exe <Windows system folder>\qsws\beird.exe"
HKLM\Software\CLASSES\irc\Shell\open\command
@ = "<Windows system folder>\qsws\beird.exe"