Virus

W32/Randex.X

Analysis

  • Virus is 32bit with file size of 60,416 bytes
  • Virus may be introduced to the system from another computer across a network or the Internet, particularly if the target system has weak or no password for the main or administrator account
  • If virus is run, it will copy itself to the undefinedWindowsundefined\System folder as "piriax32.exe"
  • Next the virus will modify the registry to auto run at next Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "Winux Piriax Service" = piriax32.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    "Winux Piriax Service" = piriax32.exe

  • The virus will then attempt to locate systems across the network and attempt to connect with and infect them by copying itself to that target machine - the virus will try to write itself to one of three possible share locations -

    C$
    ADMIN$
    ipc$

  • If the virus is successful in connecting with the target, it will attempt to write itself as "musirc4.71.exe" to the System32 folder

  • Next, the virus will remotely schedule that system to run the file using the import "NetScheduleJobAdd" from Netapi32.dll

  • The virus will try to scan for other systems across the same subnet using randomly selected IP addresses (a.b.*.*)

  • The virus will attempt to send DNS query packet to identify the IP address of the IRC server "irc.undernet.org" and then attempt to join the IRC channel "#DeathBlossom"

  • The virus will then await instructions from a hacker or group of hackers

Recommended Action

  • If your organization does not require it, deny access to TCP port 445 for Internal to External (INT -> EXT) and External to Internal (EXT -> INT)