Sophos

W32/Randex-T

Category
Type
What to do
Prevalence low high

Summary

 
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Replace the file Netstat.exe from backup or from a clean computer with the same operating system if it has been deleted.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\ Iamnacho On Irc. MusicIrc.com Is a Homosexual!

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\ Iamnacho On Irc. MusicIrc.com Is a Homosexual!

and remove any reference to any file you deleted.

Close the registry editor.

More Information

W32/Randex-T is a network worm with backdoor capabilities which allows a remote intruder to access and control the computer via IRC channels.

W32/Randex-T chooses IP addresses at random and tries to connect to the IPC$ share using simple passwords. If the connection is successful the worm attempts to copy itself to the following remote locations:

\c$\winnt\system32\netd32.exe
\Admin$\system32\netd32.exe

W32/Randex-T then schedules a job to execute the remotely dropped files.

Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute.

When first run W32/Randex-T copies itself to Windows system folder and adds its pathname to the following registry entries, so that it is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\ Iamnacho On Irc. MusicIrc.com Is a Homosexual!

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\ Iamnacho On Irc. MusicIrc.com Is a Homosexual!

W32/Randex-T deletes Netstat.exe in the Windows System folder.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer