W32.Randex.PR (symantec32.exe)

Info taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.pr.html

W32.Randex.PR is a network-aware worm that attempts to copy itself to computers with weak administrator passwords. The worm receives instructions from an IRC channel on a predetermined IRC server.

Also Known As:     W32/Spybot.worm.gen.a [McAfee]
Variants:         W32.Randex.gen
Type:                  Worm
Infection Length: 66,857 bytes
    
    
    
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details:
When W32.Randex.PR is executed, it does the following:

   1. Copies itself as %System%\symantec32.exe.

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   2. Calculates a random IP address and attempts to authenticate itself to it.

   3. Attempts to copy itself to the following locations on computers with weak administrator passwords:
          * \c$\symantec32.exe
          * \c$\winnt\system32\symantec32.exe
          * \Admin$\system32\symantec32.exe

   4. Remotely schedules a task to run the worm on a newly infected computer.

   5. Adds the following value:
          * "Symantec Security"="symantec32.exe"
          * "Windows Loader" = "svchosts.exe"

            to the registry keys:
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
            RunServices
          * HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          *

            so that the worm runs when you start Windows.

   6. Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
          * Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
          * Syn: Performs a SYN flood attack with a data size of 55808 bytes.
          * Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.

   7. Steals the CD keys of the following games:
          * FIFA 2003
          * Need For Speed Hot Pursuit 2
          * Soldier of Fortune II
          * Rainbow Six III Ravenshield
          * Battlefield 1942 Road To Rome
          * Battlefield 1942
          * IGI 2
          * Counter-Strike
          * Unreal Tournament 2003
          * Half-Life
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows