Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

Panda Security

Merry Christmas!

This offer ends in:

0 0

Hours

0 0

Minutes

0 0

Seconds

-60%

Special Offer: Renew with a 60% discount

Forgot your customer ID? Click here

-60%
Panda Security

Merry Christmas!

-50% on all Panda Dome products

-50%
Buy
My Account

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Randex.T

 
Threat LevelModerate threat
DamageHigh
DistributionNot widespread

At a glance

Common name:Randex.T
Technical name:W32/Randex.T.worm
Threat level:Low
Alias:W32/Sdbot.worm.gen.b, Backdoor.IRCBot.gen, W32/Randbot.worm, W32/Randex.worm.c, W32.Randex.Q, Backdoor.IRC.Tastyred, Gesfm, Piebot
Type:Worm
Effects:  It connects to an IRC server in order to receive control commands. It spreads across network shared resources.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

Detection updated on:Jan. 2, 2004
StatisticsNo

Brief Description 

    

Randex.T is a worm that spreads across shared network resources.

Randex.T connects to an IRC server and waits for control commands to be received. It allows an attacking user to carry out the following actions, among others: search for network computers to affect, launch DDoS (Distributed Denial of Service) attacks, obtain information on the affected computer, and download and run files.

When Randex.T ends running, it deletes the Windows file NETSTAT.EXE. This file allows to check the ports that are open and the connections established.

Visible Symptoms 

    

Randex.T is difficult to recognize, as it does not show any messages or warnings that indicate it has reached the computer.

Tech details

Effects

Randex.T has the following effects:

  • It connects to an IRC server in order to receive control commands.
  • It allows to carry out the following actions:
    - Search for network computers to affect.
    - Launch DDoS (Distributed Denial of Service) attacks.
    - Obtain information on the affected computer: CPU, operating system, connections, etc.
    - Update itself by downloading a newer version.
    - Download and run files.
    - Uninstall the worm with the file REMOVE.BAT, which Randex.T carries inside.
  • When it joins an IRC channel, it displays the following text:
    GET A FUCKING LIFE, ASSHOLE.

Infection strategy 

Randex.T creates the following files in the Windows system directory:

  • MUSIRC4.71.EXE, METALROCK-IS-GAY.EXE and METALROCK.EXE. These files are copies of the worm.
  • SPREAD.ME. It generates this file while it is spreading.

Randex.T deletes the following file:

  • NETSTAT.EXE, which is in the Windows system directory. This program allows to check the ports and the connections established.

Randex.T creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "MusIRC (irc.music.com) client" = musirc4.71.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "MusIRC (irc.music.com) client" = musirc4.71.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "Windows MeTalRoCk service" = metalrock.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "Windows MeTalRoCk service" = metalrock.exe
    There are several versions of this worm, which create any of the entries mentioned above.
    By creating these entries, Randex.T ensures that it is run whenever Windows is started.

Means of transmission 

Randex.T spreads across shared network resources. It follows the routine below:

  • First of all, it checks if the affected computer is connected to a network.
  • If it is, the worm attempts to gain access to the shared resources by using passwords that are typical or easy to guess.
  • If successful, the worm copies itself to the following directories in the computers it has accessed to:
    C$\WINNT\SYSTEM32
    ADMIN$\SYSTEM32
  • In order to be run, Randex.T uses the API function NetScheduleJobAdd, which generates programmed tasks. However, this function is available only in Windows XP/2000/NT computers; therefore, in Windows Me/98/95 computers, the worm will not be activated unless the user runs it.

Further Details  

Randex.T is written in the programming language Visual C++ v6.0. The worm is 65,536 bytes in size.

Solution

See solution

Anytech logo

Call us 24/7 and get a FREE DIAGNOSIS

+1 (323) 395 2630

logo
Panda Security, a WatchGuard Technologies brand, offers the most advanced protection for your family and business. Its Panda Dome range provides maximum security against viruses, ransomware and computer espionage, and is compatible with Windows, Mac, Android and iOS.
    About Panda
    Company Info Reviews Awards and certifications Panda Worldwide Blog Security Info
    Home Users
    Panda Dome portfolio Customer Login Page Online Antivirus Downloads Free Antivirus Free VPN Offers
    Business - WatchGuard Technologies
    Watchguard Endpoint Security Network Security Authpoint MFA Secure Wi-Fi Partners
    Visa Master Card Maestro Pay Pal Apple Pay
    Bank Transfer iDeal Klarna
    Privacy Policy Legal Notice Cookie Policy Return Policy