W32/Randon-V

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Delete any unwanted dropped files.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Randon-V is a multi-component network worm which attempts to spread by
copying itself to and executing itself on remote IPC$ shares with weak
passwords.

The main file is an SFX EXE which creates a folder called MAZE within the
Windows system folder and drops and executes several files, some of
which are legitimate utilities or innocuous files, e.g.:

• XDE.BAT - A BAT file which deletes certain network shares
• X.BAK - An innocuous file containing a list of possible passwords
• TOOL.EXE - Troj/Mirchack-A
• TOOL.VSX - A configuration INI file (mIRC/Randon-V)
• MENU.DLL - An INI file which may be used to flood IRC channels (mIRC/Randon-V)
• NOR32.EXE - A legitimate networking utility called PSEXEC
• SHR.BAT - A BAT file which sets the system, hidden and read-only attributes on the dropped files
• TLBAR.EXE - A legitimate utility called HideWindow
• XCAR.BAT - A BAT file which spreads the worm using PSEXEC
• ALT.EXE - A legitimate utility called ProcView
• HEAT.EXE - Troj/Apher-J

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

to run itself on system restart.