Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 20 Sep 2004
Damage: Medium

Characteristics: W32.Randin is a worm that spreads through network shares. The worm modifies the registry to ensure that it runs at every Windows start up. It is a slow infector, but it may cause medium damage to the infected computer. Removal is easy using up-to-date antivirus software.

More details about W32.Randin

The worm W32.Randin spreads using network shares. When it is executed, it copies itself as msdata.dat. It then modifies the registry to make sure it is executed every time that Windows starts. It also targets IP addresses in certain ranges and creates addresses by generating random values. The worm then attempts to connect to the ipc$ share of the computer at the generated IP address using port 139. If successful, the worm attempts to enumerate usernames on the remote computer. It then attempts to access shares by combining the user names it has collected from the remote computer, using various passwords. Lastly, it attempts to copy itself to the remote computer and execute the file consoles.exe. If it manages to copy itself across, it schedules a job to run the executable right away.

Apart from spreading threats to other computers, the W32.Randin software is also capable of disabling the running processes of the applications that are present on the user’s computer. Most malicious applications disable the processes of security programs that are protecting the system. This results in poor system security. Other threats may be able to infiltrate the user’s computer without a security application protecting the system.