high
Summary
Summary
Action- More Information
| Protection available since | 23 January 2004 13:06:15 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
It is vital to delete all files dropped by the worm.
You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Randon-AC is a multi-component network worm which attempts to spread by copying components of itself to and executing them on remote IPC$ shares with weak passwords. One component of the worm, POWARC.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\POWARC860.EXE. The worm also allows unauthorised remote access to the computer via IRC channels.
The main file is a self-extracting EXE which creates a folder called POWERARC80 within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files, e.g.:
- POWARC.EXE downloads and executes copies of the worm from the internet
- B1SH is a configuration file
- CONFIG.INI is a configuration INI file
- CONSTR is a TXT file containing a list of passwords
- F.F is a TXT file containing ranges of IP addresses
- HKO.EXE is a legitimate networking utility called PSEXEC
- HUST is an INI file which allows unauthorised remote access to the computer via IRC channels
- MATH.EXE is a legitimate utility called HIDEWINDOW
- MORT.EXE is a legitimate utility called HIDERUN
- MT.EXE is a legitimate utility called PRCVIEW
- PLUGED.EXE is a legitmate mIRC client
- Q8H3LLTM is a configuration INI file
- R.BAT attempts to copy the worm to network shares and execute it using PSEXEC
- R.R is a TXT file containing ranges of IP addresses
- RETA.BAT is used to give certain files hidden, system and read-only attributes
- TOTAL.EXE is a legitimate utility called HIDEWINDOW
- VHOST.EXE is a legitimate networking utility called XSCAN
- 090-NTPASS.XPN is a legitimate DLL plugin for XSCAN
- X-SCANCFG.INI is an innocuous TXT file
W32/Randon-AC creates an entry in the following registry key to run PLUGED.EXE on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
