Randex.T

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Randex.T
Threat Level Damage Distribution

Effects

Randex.T has the following effects:

It connects to an IRC server in order to receive control commands.
It allows to carry out the following actions:
- Search for network computers to affect.
- Launch DDoS (Distributed Denial of Service) attacks.
- Obtain information on the affected computer: CPU, operating system, connections, etc.
- Update itself by downloading a newer version.
- Download and run files.
- Uninstall the worm with the file REMOVE.BAT, which Randex.T carries inside.
When it joins an IRC channel, it displays the following text:
GET A FUCKING LIFE, ASSHOLE.

Randex.T creates the following files in the Windows system directory:

MUSIRC4.71.EXE, METALROCK-IS-GAY.EXE and METALROCK.EXE. These files are copies of the worm.
SPREAD.ME. It generates this file while it is spreading.

Randex.T deletes the following file:

NETSTAT.EXE, which is in the Windows system directory. This program allows to check the ports and the connections established.

Randex.T creates the following entries in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
"MusIRC (irc.music.com) client" = musirc4.71.exe
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
"MusIRC (irc.music.com) client" = musirc4.71.exe
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
"MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
"MeTaLRoCk(irc.music.com) has sex with printers" = metalrock-is-gay.exe
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
"Windows MeTalRoCk service" = metalrock.exe
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
"Windows MeTalRoCk service" = metalrock.exe
There are several versions of this worm, which create any of the entries mentioned above.
By creating these entries, Randex.T ensures that it is run whenever Windows is started.

Randex.T spreads across shared network resources. It follows the routine below:

First of all, it checks if the affected computer is connected to a network.
If it is, the worm attempts to gain access to the shared resources by using passwords that are typical or easy to guess.
If successful, the worm copies itself to the following directories in the computers it has accessed to:
C$\WINNT\SYSTEM32
ADMIN$\SYSTEM32
In order to be run, Randex.T uses the API function NetScheduleJobAdd, which generates programmed tasks. However, this function is available only in Windows XP/2000/NT computers; therefore, in Windows Me/98/95 computers, the worm will not be activated unless the user runs it.

Randex.T is written in the programming language Visual C++ v6.0. The worm is 65,536 bytes in size.