Malware type: Worm

In the wild: No

Destructive: No

Language: English

Platform: Windows NT, 2000 , XP

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:


Distribution potential:



This memory-resident worm has backdoor capabilities, which allow a remote user to take control and compromise a system. It comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for several commands from the malicious user.

It installs itself as MPTCLOCKVV.EXE in the Windows system folder. It also drops copies of itself in specific network shares, and uses a list of user names and passwords to enter into systems with restricted access.

It steals CD keys of certain game applications and terminates several antivirus and security programs, and system processes.

This FSG-compressed malware runs on Windows NT, 2000, and XP.

For additional information about this threat, see:

Description created: Mar. 20, 2004 6:34:31 PM GMT -0800
Description updated: Mar. 20, 2004 6:34:28 PM GMT -0800


Size of malware: 76,880 Bytes

Initial samples received on: Mar 20, 2004

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Payload 2: Terminates certain processes

Trigger condition 1: Upon execution


Installation and Autostart Technique

Upon execution, this memory-resident worm installs itself as the file MPTCLOCKVV.EXE in the Windows system folder.

It then creates the following registry entry to ensure that it automatically executes every time Windows starts:

MP Tclockvv = %System%\mptclockvv.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

After installation, it opens a new process and executes its copy. It then terminates its original process and leaves the new process memory-resident.

Network Propagation

This malware drops a copy of itself in the following shares:

  • Admin$\System32\
  • C$\Windows\System32\
  • C$\WINNT\System32\
  • D$\Windows\System32\
  • D$\WINNT\System32\
  • E$\Windows\System32\
  • E$\WINNT\System32\
  • ipc$

If these network shares have full access rights, this worm attempts to drop and execute a copy of itself. But if these shares have restricted access, it tries to log on to a system by using any of the following partial user names and passwords:

User names:


  • !@#$%
  • !@#$%
  • !@#$%
  • !@#$%
  • 111111
  • 11111111
  • 121212
  • 123123
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 12346
  • 123467
  • 1234678
  • 12346789
  • 123467890
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 54321
  • 654321
  • 88888888
  • abc123
  • admin123
  • asdfgh
  • blank
  • ihavenopass
  • mypass
  • mypass123
  • mypc123
  • pass1234
  • passwd
  • password
  • password1
  • pw123
  • secret
  • super
  • sybase
  • temp123
  • test123

Backdoor Capabilities

This worm comes with a built-in Internet Relay Chat (IRC) client engine, which enables it to connect to an IRC channel and wait for commands from a malicious user.

It allows tha remote user to perform the following actions:

Information Theft

This malware steals the CD keys of the following game software:

Process Termination

This worm terminates the following applications, most of which are antivirus and security programs, and system processes:

Analysis by: Joseph Cepe


Minimum scan engine version needed: 5.600

Pattern file needed: 1.831.14

Pattern release date: Mar 20, 2004

Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.


Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the process:
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
  3. In the right panel, locate and delete the entry:
    MP Tclockvv = %System%\mptclockvv.exe
    Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RANDEX.CJ. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.