Sophos

W32/Randex-FC

Aliases
  • W32.Randex.FC
  • W32/Generic.b.worm
  • Backdoor.IRCBot.gen
Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 6 February 2004 13:35:28 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\REMOVE ME
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\REMOVE ME
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\REMOVE ME

and delete them if they exist.

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries for each user who ran the virus. The removal of these entries is optional in Windows 95/98/Me.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\REMOVE ME

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\REMOVE ME

and delete them if they exist.

Close the registry editor and reboot your computer.

More Information

W32/Randex-FC is a worm that spreads via Windows file shares.

In order to run automatically when Windows starts up the worm copies itself to the file asclt.exe in the Windows system folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\REMOVE ME
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\REMOVE ME
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\REMOVE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\REMOVE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\REMOVE ME

W32/Randex-FC attempts to exploit shares with weak administrator passwords in order to copy itself other computers on the network. The worm chooses an IP address at random and attempts to copy itself to the Windows system folder on the remote computer as a file named GT.exe.

The worm also contains a backdoor which listens for commands via IRC allowing a remote intruder to gain access and control over the computer.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer