Virus

W32/Randex.C

Analysis

  • Virus is 32bit with a compressed size of 40,960 bytes and a file date of June 10, 2003
  • Virus uses imports from MPR.DLL to enumerate network connections and attempt to connect with them in an effort to spread to that system – virus is also related to Backdoor.Sdbot in some aspects
  • Virus may exist as the file GESFM32.EXE or MSMONK32.EXE in the Windows\System folder on an infected machine
  • If the virus is activated, it will run memory resident and copy itself to the Windows\System folder and modify the registry to load at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Microsoft Netview = gesfm32.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Microsoft Netview = gesfm32.exe
  • The virus will then attempt to search for machines on the local area network and attempt to connect with them using a dictionary attack method, then write a copy of itself to that machine into the System folder and initiate execution of the file remotely
  • Virus will also attempt to scan IP addresses in an attempt to identify if they are using file share and attempt to infect that target
  • If viable targets are located, virus will attempt to copy itself to the c$\System32 or Admin$\System32 share as msmonk32.exe then issue a remote instruction to run the file
  • Virus attempts to connect to the IP address 217.211.72.145 persistently
  • Virus also serves as an IRC bot allowing a hacker or group of hackers to issue commands such as sending messages or issuing SYN floods
  • Virus contains the string “monk.10 420420” in its compressed body