W32.Randex


Aliases: IRC-BBot, WORM_RPCSDBOT.A, Trojan-Dropper.Win32.Small.bc
Variants: W32.Randex.f, W32.Randex.gen

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 12 Aug 2003
Damage: Medium

Characteristics: W32.Randex.E is an Internet Relay Chat (IRC) Trojan Horse. It allows its creator to control a computer by using IRC. It is also a worm that can use the DCOM RPC to spread itself. The worm is a slow infector. However, it may cause moderate damage to an infected computer.

More details about W32.Randex

Once W32.Randex.E is executed, it copies itself as one of the following filenames: nstask32.exe and winlogin.exe. It also copies itself to the Windows Temp folder using some randomly generated file names. It creates one of the following: win32sockdrv.dll or yuetyutr.dll. It injects the dropped DLL as a module into the Explorer.exe process. It also uses this dropped DLL file to spread itself through IRC. Then, it uses it to exploit the DCOM RPC vulnerability. It alters the registry to make sure it runs every time Windows starts. The worm contains its own IRC client. This allows it to connect to specified IRC servers. It joins a channel to listen for commands from the worm's creator. One of the commands is to exploit the DCOM RPC vulnerability.

The worm generates random IP addresses. Once the IP address is generated, it sends specially formed data. This exploits the DCOM RPC vulnerability to that particular IP address. The W32.Randex.E application spreads threats to other computers. This may be done through the applications that are installed on the user’s computer. These include P2P (peer-to-peer) file sharing programs. P2P programs are said to be loaded with plenty of threats. They are not seen as threats by the user because they have filenames of popular downloads and legitimate programs. The Trojan software automatically executes on the user’s computer once the download has been completed. Another method of propagating threats is through instant messaging programs. Users that send and receive files via instant messaging programs may transmit threats to other computers that are uninfected. This happens when the user’s computer is not protected by an anti-malware application or a firewall.