WORM_RANDEX.Q

Malware type: Worm

Aliases: I-Worm.Simbolos, W32.Randex.Q

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, 2000, NT, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This malware has both worm and backdoor capabilities.

To propagate, it obtains user names and attempts to connect to remote machines using each obtained user name as both user name and password. In effect, accounts that have logon names as passwords allow this worm to propagate.

As a backdoor, it allows a remote user to gain access to a target system via IRC (Internet Relay Chat). It may execute the following commands for the remote malicious user:

  • Upload/download programs on infected machine
  • Open a file remotely
  • Get system information about the affected machine (e.g processor speed, memory size, operating sytem, etc.)
  • Scan for ports
  • Join/leave a specified IRC channel
  • Uninstall a copy of itself
  • Visit a URL
  • Update a copy of itself
  • SYN flood a target host

It also deletes the system file NETSTAT.EXE from the Windows system folder.

Developed in Visual C%20%20, this malware usually arrives as a Win32 executable file compressed with the Aspack utility. It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Oct. 8, 2003 12:48:03 PM GMT -0800
Description updated: Oct. 24, 2003 12:45:30 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 39, 424 Bytes

Initial samples received on: Oct 8, 2003

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Details:

Installation

Upon execution, this worm drops a copy of itself in the Windows system folder using any of the following file names:

  • MUSIRC4.71.EXE
  • metalrock-is-gay.exe

It executes the dropped file and stays memory-resident. Then, it terminates its original process.

To hide itself from the list of processes on Windows 95, 98, and ME, it registers itself a service by using the RegisterServiceProcess API.

Autostart Technique

To ensure its automatic execution at every system startup, it creates the following registry entries:

HKEY_LOCAL_MACHINE\Sofware\Microsoft\
Windows\CurrentVersion\RunServices
MusIRC (irc.musirc.com) client = "musirc4.71.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
MusIRC (irc.musirc.com) client = "musirc4.71.exe"

or

HKEY_LOCAL_MACHINE\Sofware\Microsoft\
Windows\CurrentVersion\RunServices
MeTaLRoCk (irc.musirc.com) has sex with printers = "metalrock-is-gay.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
MeTaLRoCk (irc.musirc.com) has sex with printers = "metalrock-is-gay.exe"

Network Propagation

To access remote systems, this worm uses the API, NetUserEnum, in NETAPI32.DLL to obtain information regarding all user accounts on a server. Then, it attempts to connect to other machines using WNetAddConnection2A in MPR.DLL. It uses each derived user account as both user name and password.

For example, to log on to a machine as UserName, it uses the password, UserName.

After successfully logging into a system, it attempts to drop a copy of itself into the following folders:

  • \ADMIN$\system32
  • \C$\WINNT\system32

It uses either of the following file names:

  • musirc4.71.exe
  • spread.exe

It then schedules a network job using the NetScheduleJobAdd API function to run the dropped malware copy.

It also drops a copy of itself as SPREAD.ME in the Windows system folder while performing its propagation routine.

Backdoor Capability

This memory-resident backdoor program utilizes IRC (Internet Relay Chat) for its backdoor routines, allowing a remote malicious user to access the system via IRC. It allows the remote malicious user to perform the following, leaving the affected system compromised:

  • Upload/download programs on infected machine
  • Open a file remotely
  • Get system information about the affected machine (e.g processor speed, memory size, operating sytem, etc.)
  • Scan for ports
  • Join/leave a specified IRC channel
  • Uninstall a copy of itself
  • Visit a URL
  • Update a copy of itself
  • SYN flood a target host

Payload

Upon every execution, it deletes the file NETSTAT.EXE from the Windows system directory.

Other Details

Some of the strings in the malware code are encrypted. It also usually arrives as an Aspack-compressed program to evade antivirus heuristic detection.




Analysis by: Maria Joan Gaerlan


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.653.00

Pattern release date: Oct 8, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_RANDEX.Q. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate any of the following processes:
    musirc4.71.exe
    metalrock-is-gay.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete any of the following entries:
    MusIRC (irc.musirc.com) client = "musirc4.71.exe"
    MeTaLRoCk (irc.musirc.com) has sex with printers = "metalrock-is-gay.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Runservices
  5. In the right panel, locate and delete any of the following entries:
    MusIRC (irc.musirc.com) client = "musirc4.71.exe"
    MeTaLRoCk (irc.musirc.com) has sex with printers = "metalrock-is-gay.exe"
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_RANDEX.Q. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.