Threat Encyclopedia

W32/Randex.X

Analysis

• Virus is 32bit with file size of 60,416 bytes
  
• Virus may be introduced to the system from another computer across a network or the Internet, particularly if the target system has weak or no password for the main or administrator account
  
• If virus is run, it will copy itself to the undefinedWindowsundefined\System folder as "piriax32.exe"
  
• Next the virus will modify the registry to auto run at next Windows startup -

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
  "Winux Piriax Service" = piriax32.exe

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
  "Winux Piriax Service" = piriax32.exe
  

• The virus will then attempt to locate systems across the network and attempt to connect with and infect them by copying itself to that target machine - the virus will try to write itself to one of three possible share locations -

  C$
  ADMIN$
  ipc$
  

• If the virus is successful in connecting with the target, it will attempt to write itself as "musirc4.71.exe" to the System32 folder
  

• Next, the virus will remotely schedule that system to run the file using the import "NetScheduleJobAdd" from Netapi32.dll
  

• The virus will try to scan for other systems across the same subnet using randomly selected IP addresses (a.b.*.*)
  

• The virus will attempt to send DNS query packet to identify the IP address of the IRC server "irc.undernet.org" and then attempt to join the IRC channel "#DeathBlossom"
  

• The virus will then await instructions from a hacker or group of hackers
  

Recommended Action

• If your organization does not require it, deny access to TCP port 445 for Internal to External (INT -> EXT) and External to Internal (EXT -> INT)