high
Summary
Summary
Action- More Information
| Protection available since | 17 October 2003 13:17:04 (GMT) |
|---|---|
| Last updated | 23 October 2003 14:58:49 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\MusIRC (irc.music.com) client = "<copy of the worm>"
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\MusIRC (irc.music.com) client = "<copy of the worm>"
and delete them if they exist.
Close the registry editor.
More Information
W32/Randex-Q is a network worm with backdoor capabilities which allows a
remote intruder to access and control the computer via IRC channels.
W32/Randex-Q chooses IP addresses at random and tries to connect to
the IPC$ share using simple passwords. If the connection is sucessful the
worm attempts to copy itself to the following remote locations:
\c$\winnt\system32\musirc4.71.exe
\Admin$\system32\musirc4.71.exe
W32/Randex-Q then schedules a job to execute the remotely dropped files.
Each time the worm is run it tries to connect to a remote IRC server and
join a specific channel. The worm then runs in the background as a server
process listening for commands to execute.
When first run the worm copies itself to Windows system folder as Musirc4.71.exe, metalrock.exe or metalrock-is-gay.exe and adds the pathname of this executable to a sub-key of the following registry entries so that the worm is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Example registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MusIRC (irc.musirc.com) client = musirc4.71.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MusIRC (irc.musirc.com) client = musirc4.71.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MeTaLRoCk (irc.musirc.com) has sex with printers = metalrock-is-gay.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows MeTaLRoCk service = metalrock.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows MeTaLRoCk service = metalrock.exe
|
