McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Gesfm

• Piebot

• W32.Randex.C (NAV)

• W32/Randex.worm.c

Characteristics

-- Update April 14th 2004 --

This family of IRC worms (related to IRC-Sdbot , W32/Sdbot.worm , W32/Gaobot , W32/Spybot , W32/Polybot ) was growing rapidly and now has 138 different variants.

Although most of the new variants were proactively detected AVERT's advice is to use the latest engine and DATs for the best possible protection. It is also important to make sure that scanning of packed executables (eg., UPX) was not disabled (this setting is "on" by default).

The list of a few recent worms:

--

-- Update August 14th 2003 --

Another variant of this worm has been reported to AVERT. It is proactively detected as W32/Randex.worm.c with the 4273 DATs or greater.

It bears strong similarities to the variant described below, again heavily IRC-Sdbot based. Key differences include:

• Filesize: 60,416 bytes
• Installation filename: PH32.EXE (same installation directory as below)
• Network propagation filename: NETFD32.EXE (targets same remote directories as below)
• Mutex object: PIEBOT-FE
• Registry key hooks:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Winux Piriax Service" = PH32.EXE
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Winux Piriax Service" = PH32.EXE
  
• This variant uses less passwords in attempted network propagation:
  • 12345
  • pass
  • password

--

There are multiple variants of this worm which is based heavily upon an existing IRC trojan, IRC-Sdbot .

Installation

When run on the victim machine, the worm installs itself as GESFM32.EXE in the Windows System folder, for example:

A mutex object with the following name is created:

The following Registry keys are added to hook system startup:

The worm attempts to connect to a remote IRC server (the IP address of which is stored in the worm), and connect to an IRC channel (to await commands). These commands include:

• update
• clone
• download
• ntscan/ntstop - initiate scanning for remote machines to infect
• syn - issue syn flood attack, (TCP SYN packets - window size setting 55808 bytes)
• sysinfo - retrieve system information (eg. information concerning CPU, dial-up, OS etc)

Network Propagation

Upon the appropriate remote command (via IRC) the worm attempts to connect to remote machines, taking advantage of machines with weak passwords. Remote machines are targeted by a randomly generated IP address.

The following passwords are used by the worm:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 654321
• 123456
• 1234
• 123
• 111
• 1
• root
• admin

If successful, the worm copies itself to the remote machine as MSMONK32.EXE to the following locations:

• \C$\WINNT\SYSTEM32\MSMONK32.EXE
• \ADMIN$\SYSTEM32\MSMONK32.EXE

To run the worm, a job is scheduled on the remote machine - this is reliant upon the schedule service running on the target machine.

Note: the function that is used to schedule this job is not supported on Windows 9x/ME.

Symptoms

• Presence of the files and Registry keys detailed above
• Unexpected network traffic between victim and remote IRC server

Method of Infection

Machines with poorly secured network shares may become infected via the worm copying itself into the Windows System directory. Differing variants use different filenames, for example:

• MSMONK32.EXE
• NETFD32.EXE

This is subsequently executed via a scheduled job., Once executed, the worm installs itself on the machine, and connects to a remote IRC server to await commands.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Randbot.worm.gen.a
• W32/Randbot.worm.gen.b
• W32/Randbot.worm.gen.c
• W32/Randbot.worm.gen.d

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Gesfm

• Piebot

• W32.Randex.C (NAV)

• W32/Randex.worm.c

Characteristics

Characteristics -

-- Update April 14th 2004 --

This family of IRC worms (related to IRC-Sdbot , W32/Sdbot.worm , W32/Gaobot , W32/Spybot , W32/Polybot ) was growing rapidly and now has 138 different variants.

Although most of the new variants were proactively detected AVERT's advice is to use the latest engine and DATs for the best possible protection. It is also important to make sure that scanning of packed executables (eg., UPX) was not disabled (this setting is "on" by default).

The list of a few recent worms:

--

-- Update August 14th 2003 --

Another variant of this worm has been reported to AVERT. It is proactively detected as W32/Randex.worm.c with the 4273 DATs or greater.

It bears strong similarities to the variant described below, again heavily IRC-Sdbot based. Key differences include:

• Filesize: 60,416 bytes
• Installation filename: PH32.EXE (same installation directory as below)
• Network propagation filename: NETFD32.EXE (targets same remote directories as below)
• Mutex object: PIEBOT-FE
• Registry key hooks:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Winux Piriax Service" = PH32.EXE
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "Winux Piriax Service" = PH32.EXE
  
• This variant uses less passwords in attempted network propagation:
  • 12345
  • pass
  • password

--

There are multiple variants of this worm which is based heavily upon an existing IRC trojan, IRC-Sdbot .

Installation

When run on the victim machine, the worm installs itself as GESFM32.EXE in the Windows System folder, for example:

A mutex object with the following name is created:

The following Registry keys are added to hook system startup:

The worm attempts to connect to a remote IRC server (the IP address of which is stored in the worm), and connect to an IRC channel (to await commands). These commands include:

• update
• clone
• download
• ntscan/ntstop - initiate scanning for remote machines to infect
• syn - issue syn flood attack, (TCP SYN packets - window size setting 55808 bytes)
• sysinfo - retrieve system information (eg. information concerning CPU, dial-up, OS etc)

Network Propagation

Upon the appropriate remote command (via IRC) the worm attempts to connect to remote machines, taking advantage of machines with weak passwords. Remote machines are targeted by a randomly generated IP address.

The following passwords are used by the worm:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 654321
• 123456
• 1234
• 123
• 111
• 1
• root
• admin

If successful, the worm copies itself to the remote machine as MSMONK32.EXE to the following locations:

• \C$\WINNT\SYSTEM32\MSMONK32.EXE
• \ADMIN$\SYSTEM32\MSMONK32.EXE

To run the worm, a job is scheduled on the remote machine - this is reliant upon the schedule service running on the target machine.

Note: the function that is used to schedule this job is not supported on Windows 9x/ME.

Symptoms

Symptoms -

• Presence of the files and Registry keys detailed above
• Unexpected network traffic between victim and remote IRC server

Method of Infection

Method of Infection -

Machines with poorly secured network shares may become infected via the worm copying itself into the Windows System directory. Differing variants use different filenames, for example:

• MSMONK32.EXE
• NETFD32.EXE

This is subsequently executed via a scheduled job., Once executed, the worm installs itself on the machine, and connects to a remote IRC server to await commands.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Randbot.worm.gen.a
• W32/Randbot.worm.gen.b
• W32/Randbot.worm.gen.c
• W32/Randbot.worm.gen.d