YOU’RE NOT VIEWING PANDA SECURITY USA. CLICK TO IMPROVE YOUR EXPERIENCE
VISIT PANDA SECURITY USA
x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
48-HOUR OFFER
50%
RENEWALS
Home users only
RENEW AT A DISCOUNT
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET 50% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET 50% OFF
x
UP TO
-60%
BUY NOW
x
UP TO
-60%
BUY NOW
Active Scan. Scan your PC free

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Randex.T

Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Randex.T has the following effects:

  • It connects to an IRC server in order to receive control commands.
  • It allows to carry out the following actions:
    - Search for network computers to affect.
    - Launch DDoS (Distributed Denial of Service) attacks.
    - Obtain information on the affected computer: CPU, operating system, connections, etc.
    - Update itself by downloading a newer version.
    - Download and run files.
    - Uninstall the worm with the file REMOVE.BAT, which Randex.T carries inside.
  • When it joins an IRC channel, it displays the following text:
    GET A FUCKING LIFE, ASSHOLE.

Infection strategy 

Randex.T creates the following files in the Windows system directory:

  • MUSIRC4.71.EXE, METALROCK-IS-GAY.EXE and METALROCK.EXE. These files are copies of the worm.
  • SPREAD.ME. It generates this file while it is spreading.

Randex.T deletes the following file:

  • NETSTAT.EXE, which is in the Windows system directory. This program allows to check the ports and the connections established.

Randex.T creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "MusIRC (irc.music.com) client" = musirc4.71.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "MusIRC (irc.music.com) client" = musirc4.71.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    "Windows MeTalRoCk service" = metalrock.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    "Windows MeTalRoCk service" = metalrock.exe
    There are several versions of this worm, which create any of the entries mentioned above.
    By creating these entries, Randex.T ensures that it is run whenever Windows is started.

Means of transmission 

Randex.T spreads across shared network resources. It follows the routine below:

  • First of all, it checks if the affected computer is connected to a network.
  • If it is, the worm attempts to gain access to the shared resources by using passwords that are typical or easy to guess.
  • If successful, the worm copies itself to the following directories in the computers it has accessed to:
    C$\WINNT\SYSTEM32
    ADMIN$\SYSTEM32
  • In order to be run, Randex.T uses the API function NetScheduleJobAdd, which generates programmed tasks. However, this function is available only in Windows XP/2000/NT computers; therefore, in Windows Me/98/95 computers, the worm will not be activated unless the user runs it.

Further Details  

Randex.T is written in the programming language Visual C++ v6.0. The worm is 65,536 bytes in size.

ARE YOU FACING ANY PC OR INTERNET RELATED PROBLEMS?
FREE SUPPORT INCLUDED. CALL US 24/7

powered by Anytech365