Content
W32/Randbot.worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 06/18/2003
- Length
- varies
- Minimum DAT
- 4273 (06/25/2003)
- Updated DAT
- 4363 (05/26/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 06/19/2003
- Description Modified
- 04/30/2004 12:31 AM (PT)
Tab Navigation
Characteristics
-- Update April 14th 2004 --
This family of IRC worms (related to IRC-Sdbot , W32/Sdbot.worm , W32/Gaobot , W32/Spybot , W32/Polybot ) was growing rapidly and now has 138 different variants.
Although most of the new variants were proactively detected AVERT's advice is to use the latest engine and DATs for the best possible protection. It is also important to make sure that scanning of packed executables (eg., UPX) was not disabled (this setting is "on" by default).
The list of a few recent worms:
| Filename | Filesize | Minimum DAT |
| GT.EXE | 44,032 | 4349 |
| REGEDLT.EXE | 52,224 | 4349 |
| SVCHOCT.EXE | 54,784 | 4349 |
| RAND32.EXE | 45,156 | 4292 |
| SPOLSV.EXE | 52,736 | 4292 |
| WSASS.EXE | 92,672 | 4292 |
| SVCHOSTH.EXE | 49,252 | 4292 |
| MSSHELL.EXE | 75,264 | 4349 |
| MSSHELL.EXE | 75,752 | 4349 |
| WINEDU16.EXE | 55,808 | 4292 |
| INETMGR.EXE | 49,152 | 4292 |
| WINSYSH.EXE | 49,152 | 4292 |
| REGEDLT.EXE | 52,224 | 4352 |
| ANTIVIRUS32.EXE | 55,808 | 4352 |
--
-- Update August 14th 2003 --
Another variant of this worm has been reported to AVERT. It is proactively detected as W32/Randex.worm.c with the 4273 DATs or greater.
It bears strong similarities to the variant described below, again heavily IRC-Sdbot based. Key differences include:
- Filesize: 60,416 bytes
- Installation filename: PH32.EXE (same installation directory as below)
- Network propagation filename: NETFD32.EXE (targets same remote directories as below)
- Mutex object: PIEBOT-FE
- Registry key hooks:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Winux Piriax Service" = PH32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "Winux Piriax Service" = PH32.EXE
- This variant uses less passwords in attempted network propagation:
- 12345
- pass
- password
--
There are multiple variants of this worm which is based heavily upon an existing IRC trojan, IRC-Sdbot .
Installation
When run on the victim machine, the worm installs itself as GESFM32.EXE in the Windows System folder, for example:
C:\WINNT\SYSTEM32\GESFM32.EXE (40,960 bytes)A mutex object with the following name is created:
monk.10The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Microsoft Netview" = GESFM32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "Microsoft Netview" = GESFM32.EXE
The worm attempts to connect to a remote IRC server (the IP address of which is stored in the worm), and connect to an IRC channel (to await commands). These commands include:
- update
- clone
- download
- ntscan/ntstop - initiate scanning for remote machines to infect
- syn - issue syn flood attack, (TCP SYN packets - window size setting 55808 bytes)
- sysinfo - retrieve system information (eg. information concerning CPU, dial-up, OS etc)
Network Propagation
Upon the appropriate remote command (via IRC) the worm attempts to connect to remote machines, taking advantage of machines with weak passwords. Remote machines are targeted by a randomly generated IP address.
The following passwords are used by the worm:
- server
- !@#$%^&*
- !@#$%^&
- !@#$%^
- !@#$%
- asdfgh
- asdf
- !@#$
- 654321
- 123456
- 1234
- 123
- 111
- 1
- root
- admin
If successful, the worm copies itself to the remote machine as MSMONK32.EXE to the following locations:
- \C$\WINNT\SYSTEM32\MSMONK32.EXE
- \ADMIN$\SYSTEM32\MSMONK32.EXE
To run the worm, a job is scheduled on the remote machine - this is reliant upon the schedule service running on the target machine.
Note: the function that is used to schedule this job is not supported on Windows 9x/ME.
Symptoms
- Presence of the files and Registry keys detailed above
- Unexpected network traffic between victim and remote IRC server
Method of Infection
Machines with poorly secured network shares may become infected via the worm copying itself into the Windows System directory. Differing variants use different filenames, for example:
- MSMONK32.EXE
- NETFD32.EXE
This is subsequently executed via a scheduled job., Once executed, the worm installs itself on the machine, and connects to a remote IRC server to await commands.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
- W32/Randbot.worm.gen.a
- W32/Randbot.worm.gen.b
- W32/Randbot.worm.gen.c
- W32/Randbot.worm.gen.d
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Gesfm
- Piebot
- W32.Randex.C (NAV)
- W32/Randex.worm.c
Characteristics
Characteristics -
-- Update April 14th 2004 --
This family of IRC worms (related to IRC-Sdbot , W32/Sdbot.worm , W32/Gaobot , W32/Spybot , W32/Polybot ) was growing rapidly and now has 138 different variants.
Although most of the new variants were proactively detected AVERT's advice is to use the latest engine and DATs for the best possible protection. It is also important to make sure that scanning of packed executables (eg., UPX) was not disabled (this setting is "on" by default).
The list of a few recent worms:
| Filename | Filesize | Minimum DAT |
| GT.EXE | 44,032 | 4349 |
| REGEDLT.EXE | 52,224 | 4349 |
| SVCHOCT.EXE | 54,784 | 4349 |
| RAND32.EXE | 45,156 | 4292 |
| SPOLSV.EXE | 52,736 | 4292 |
| WSASS.EXE | 92,672 | 4292 |
| SVCHOSTH.EXE | 49,252 | 4292 |
| MSSHELL.EXE | 75,264 | 4349 |
| MSSHELL.EXE | 75,752 | 4349 |
| WINEDU16.EXE | 55,808 | 4292 |
| INETMGR.EXE | 49,152 | 4292 |
| WINSYSH.EXE | 49,152 | 4292 |
| REGEDLT.EXE | 52,224 | 4352 |
| ANTIVIRUS32.EXE | 55,808 | 4352 |
--
-- Update August 14th 2003 --
Another variant of this worm has been reported to AVERT. It is proactively detected as W32/Randex.worm.c with the 4273 DATs or greater.
It bears strong similarities to the variant described below, again heavily IRC-Sdbot based. Key differences include:
- Filesize: 60,416 bytes
- Installation filename: PH32.EXE (same installation directory as below)
- Network propagation filename: NETFD32.EXE (targets same remote directories as below)
- Mutex object: PIEBOT-FE
- Registry key hooks:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Winux Piriax Service" = PH32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "Winux Piriax Service" = PH32.EXE
- This variant uses less passwords in attempted network propagation:
- 12345
- pass
- password
--
There are multiple variants of this worm which is based heavily upon an existing IRC trojan, IRC-Sdbot .
Installation
When run on the victim machine, the worm installs itself as GESFM32.EXE in the Windows System folder, for example:
C:\WINNT\SYSTEM32\GESFM32.EXE (40,960 bytes)A mutex object with the following name is created:
monk.10The following Registry keys are added to hook system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Microsoft Netview" = GESFM32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "Microsoft Netview" = GESFM32.EXE
The worm attempts to connect to a remote IRC server (the IP address of which is stored in the worm), and connect to an IRC channel (to await commands). These commands include:
- update
- clone
- download
- ntscan/ntstop - initiate scanning for remote machines to infect
- syn - issue syn flood attack, (TCP SYN packets - window size setting 55808 bytes)
- sysinfo - retrieve system information (eg. information concerning CPU, dial-up, OS etc)
Network Propagation
Upon the appropriate remote command (via IRC) the worm attempts to connect to remote machines, taking advantage of machines with weak passwords. Remote machines are targeted by a randomly generated IP address.
The following passwords are used by the worm:
- server
- !@#$%^&*
- !@#$%^&
- !@#$%^
- !@#$%
- asdfgh
- asdf
- !@#$
- 654321
- 123456
- 1234
- 123
- 111
- 1
- root
- admin
If successful, the worm copies itself to the remote machine as MSMONK32.EXE to the following locations:
- \C$\WINNT\SYSTEM32\MSMONK32.EXE
- \ADMIN$\SYSTEM32\MSMONK32.EXE
To run the worm, a job is scheduled on the remote machine - this is reliant upon the schedule service running on the target machine.
Note: the function that is used to schedule this job is not supported on Windows 9x/ME.
Symptoms
Symptoms -
- Presence of the files and Registry keys detailed above
- Unexpected network traffic between victim and remote IRC server
Method of Infection
Method of Infection -
Machines with poorly secured network shares may become infected via the worm copying itself into the Windows System directory. Differing variants use different filenames, for example:
- MSMONK32.EXE
- NETFD32.EXE
This is subsequently executed via a scheduled job., Once executed, the worm installs itself on the machine, and connects to a remote IRC server to await commands.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
- W32/Randbot.worm.gen.a
- W32/Randbot.worm.gen.b
- W32/Randbot.worm.gen.c
- W32/Randbot.worm.gen.d
