| |
| ||||||||
| Home | Forums | Register | Search | Today's Posts | Mark Forums Read |
| Computers & Technology Computer talk for the nerdy or the needy. Post your technology related topics or tech questions here. |
 |
| | LinkBack | Thread Tools | Display Modes |
10-28-2005, 12:55 PM
| ||||
| ||||
| Randex-Y 10-28-2005 Source: eSecurityplanet.com 10/28: Randex-Y a Network Worm October 28, 2005 <!--content_start-->W32/Randex-Y is a network worm with backdoor capabilities that allows a remote intruder to access and control the computer via IRC channels. W32/Randex-Y chooses IP addresses at random and tries to connect to the IPC$ share using simple passwords. If the connection is successful the worm copies itself to the following remote locations: \ADMIN$\system32\msnv32.exe \C$\WINNT\system32\msnv32.exe W32/Randex-Y then schedules a job to execute the remotely created files. Each time the worm is run it tries to connect to a remote IRC server and join a specific channel. The worm then runs in the background as a server process listening for commands to execute. When first run the worm copies itself to the Windows system folder as IRBMe.exe and adds the following registry entries to point to this copy of the worm to ensure it is run at system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \IRBMe Sucks!! HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\IRBMe Sucks!! W32/Randex-Y may also create the file remove.bat in the Windows temp folder. This file is not malicious and can simply be deleted.
__________________ The real treasure is in the hunt...     |
|
| Bookmarks |
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
