W32/Randon-AN is a network worm with IRC backdoor functionality.
W32/Randon-AN can spread through IRC channels and network shares.
W32/Randon-AN is a network worm with IRC backdoor functionality.
W32/Randon-AN can spread through IRC channels and network shares.
The worm is distributed as a self-extracting archive which installs the worm's components. The following files are created:
app.exe - a clean utility to manage processes
netservup.exe - a hacked mIRC application, detected as W32/Randon-AN
nsrust.exe - a legitimate tool to hide windows
nsup1.sys - an empty file
nsup2.sys - a harmless configuration file
nsup3.sys - a configuration file, detected as W32/Randon-AN
nsuser.bat - a BAT file to add a user to the local computer
tool.sys - a configuration file, detected as W32/Randon-AN
The worm creates the following registry entry in order to run itself automatically on computer logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ansjava
<path to mIRC application>