W32/Randex.D

description-logoAnalysis

  • Virus is 32bit, with a UPX compressed size of 17,920 bytes
  • Virus bears resemblance to W32/Randex.c in spread method and mechanism
  • The virus may run in as many as 40 threads simultaneously and attempts to connect in rapid succession to numerous and random IP addresses across the Internet in an effort to locate open shares and copy itself to that potential target as the file “msslut32.exe”
  • Virus uses the import “WNetAddConnection2A” from MPR.DLL in order to connect with the target, and uses the import “NetScheduleJobAdd” from “NETAPI32.DLL in order to initiate running the virus on the remote host
  • If viable targets are located, virus will attempt to copy itself to the c$\System32 or Admin$\System32 share as “msslut32.exe” then issue a remote instruction to run the file
  • Virus may attempt to connect simultaneously to as many as 20 different IP addresses
  • Virus may add an entry into the system registry in order to load at Windows startup –

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "superslut" = msslut32.exe


Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR