Content

W32/Randon.worm

Type
Virus
SubType
Worm
Discovery Date
03/03/2003
Length
approx 735 kB for the SFX dropper
Minimum DAT
4251 (03/05/2003)
Updated DAT
4251 (03/05/2003)
Minimum Engine
5.1.00
Description Added
03/04/2003
Description Modified
03/31/2004 5:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

There are many variants of this worm. The description below should be used as a general guide to the typical characteristics of this family.

Please ensure that the scanning of compressed files is enabled (default option) and use the latest engine/DATs for optimal detection
--
This detection is for an IRC-based package which consists of multiple files, some of which are already detected by McAfee products. The package bears similarities to IRC/Backdoor.g .

The main package is contained within a self-extracting archive. Since the archive is stored remotely (and downloaded by the downloader component) its filename and filesize may vary. Examples seen thus far include:

  • AZAS.EXE (735,468 bytes)
  • SECS.EXE (735,544 bytes)
  • ALI.EXE (735,468 bytes)
  • AO.EXE (735,435 bytes)

These archives are detected as IRC/Flood.ap.dr with the specified DATs.

When the SFX archive is executed on the victim machine, many files are dropped into the installation directory. The exact directory and filenames may well change - details for the packages seen thus far are shown below:

The installation directory is created within %Sysdir%, for example:

  • c:\WINNT\system32\zx
  • c:\WINNT\system32\zxz

Into this directory the following files are dropped:

  • A.A (40 bytes) - garbage text file, detected as IRC/Flood.ap by the 4211 DATs (or greater).
  • B.A (98 bytes) - garbage text file
  • DETA.EXE (19,968 bytes) - application HideWindow
  • FCONTROL.A (10,104 bytes) - IRC script
  • IFCONTROL.A (26,799 bytes) - IRC script
  • INCS.BAT (1,854 bytes) - batch script which attempts to connect to other remote machines (IPC$ share) using various username/password combinations. If successful, it launches SENCS.BAT (via HideWindow application - DETA.EXE). This is detected as IRC/Backdoor.g .
  • PSEXEC.EXE (37,376 bytes) application RemoteProcessLaunch
  • RCFG.INI (2,432 bytes) - IRC script
  • rconnect.conf (315 bytes)
  • READER.W (105,374 bytes) - garbage text file. This is not detected, simply delete file.
  • SA.EXE (1,312 bytes) - downloader trojan, detected as Downloader-AE (with 4211 DATs or greater). When executed this component attempts to download the trojan self-extracting archive from a remote server.
  • SCONTROL.A (2,640 bytes) - IRC script
  • SENCS.BAT (2,941 bytes) - batch script which uses RemoteProcessLaunch application to execute SA.EXE (the downloader component) on remote machines.
  • SYSTREY.EXE (562,688 bytes) - this is a hacked mIRC client detected as BackDoor-GI with the 4252 DATs.

NB: the application type detections detailed above require either the command-line scanner (with /PROGRAM switch) or VirusScan 7 (with detect potentially unwanted applications enabled). See the separate detections for the relevant applications for more details.

The hacked mIRC client is run at system startup thanks to the following Registry key which is added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"updateWins" = c:\winnt\system32\zx\systrey.exe

The following username/password combinations are used by the INCS.BAT batch file (username, password):

  • Administrator, Administrator
  • Administrator, "" (blank)
  • test, test
  • Administrator, test
  • Administrator, test123
  • Administrator, temp
  • Administrator, temp123
  • Administrator, pass
  • Administrator, password
  • Administrator, admin
  • root, root
  • Administrator, changeme
  • admin, admin

Symptoms

  • Existence of the files and Registry key detailed above
  • Unexpected network traffic on port 6667
  • Increase in traffic on port 445

Method of Infection

This trojan package consists of multiple files (some of which are legitimate applications). It is the combination of these components (downloader, remote process launcher, mIRC client, IRC scripts etc) that provide the basis of the malware's functionality.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.IRC.Aladinz.N (Symantec)
  • IRC/Flood.ap
  • IRC/Flood.ap.dr
  • Q8Hell
  • W32/Randon.worm (AVP)
  • W32/Randon.worm.ap

Characteristics

Characteristics -

There are many variants of this worm. The description below should be used as a general guide to the typical characteristics of this family.

Please ensure that the scanning of compressed files is enabled (default option) and use the latest engine/DATs for optimal detection
--
This detection is for an IRC-based package which consists of multiple files, some of which are already detected by McAfee products. The package bears similarities to IRC/Backdoor.g .

The main package is contained within a self-extracting archive. Since the archive is stored remotely (and downloaded by the downloader component) its filename and filesize may vary. Examples seen thus far include:

  • AZAS.EXE (735,468 bytes)
  • SECS.EXE (735,544 bytes)
  • ALI.EXE (735,468 bytes)
  • AO.EXE (735,435 bytes)

These archives are detected as IRC/Flood.ap.dr with the specified DATs.

When the SFX archive is executed on the victim machine, many files are dropped into the installation directory. The exact directory and filenames may well change - details for the packages seen thus far are shown below:

The installation directory is created within %Sysdir%, for example:

  • c:\WINNT\system32\zx
  • c:\WINNT\system32\zxz

Into this directory the following files are dropped:

  • A.A (40 bytes) - garbage text file, detected as IRC/Flood.ap by the 4211 DATs (or greater).
  • B.A (98 bytes) - garbage text file
  • DETA.EXE (19,968 bytes) - application HideWindow
  • FCONTROL.A (10,104 bytes) - IRC script
  • IFCONTROL.A (26,799 bytes) - IRC script
  • INCS.BAT (1,854 bytes) - batch script which attempts to connect to other remote machines (IPC$ share) using various username/password combinations. If successful, it launches SENCS.BAT (via HideWindow application - DETA.EXE). This is detected as IRC/Backdoor.g .
  • PSEXEC.EXE (37,376 bytes) application RemoteProcessLaunch
  • RCFG.INI (2,432 bytes) - IRC script
  • rconnect.conf (315 bytes)
  • READER.W (105,374 bytes) - garbage text file. This is not detected, simply delete file.
  • SA.EXE (1,312 bytes) - downloader trojan, detected as Downloader-AE (with 4211 DATs or greater). When executed this component attempts to download the trojan self-extracting archive from a remote server.
  • SCONTROL.A (2,640 bytes) - IRC script
  • SENCS.BAT (2,941 bytes) - batch script which uses RemoteProcessLaunch application to execute SA.EXE (the downloader component) on remote machines.
  • SYSTREY.EXE (562,688 bytes) - this is a hacked mIRC client detected as BackDoor-GI with the 4252 DATs.

NB: the application type detections detailed above require either the command-line scanner (with /PROGRAM switch) or VirusScan 7 (with detect potentially unwanted applications enabled). See the separate detections for the relevant applications for more details.

The hacked mIRC client is run at system startup thanks to the following Registry key which is added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"updateWins" = c:\winnt\system32\zx\systrey.exe

The following username/password combinations are used by the INCS.BAT batch file (username, password):

  • Administrator, Administrator
  • Administrator, "" (blank)
  • test, test
  • Administrator, test
  • Administrator, test123
  • Administrator, temp
  • Administrator, temp123
  • Administrator, pass
  • Administrator, password
  • Administrator, admin
  • root, root
  • Administrator, changeme
  • admin, admin

Symptoms

Symptoms -

  • Existence of the files and Registry key detailed above
  • Unexpected network traffic on port 6667
  • Increase in traffic on port 445

Method of Infection

Method of Infection -

This trojan package consists of multiple files (some of which are legitimate applications). It is the combination of these components (downloader, remote process launcher, mIRC client, IRC scripts etc) that provide the basis of the malware's functionality.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A