Help!
-
cooldoc #2124 Discovered: August 12, 2003
Updated: March 25, 2006 03:05:13 PM GMT
Also Known As: IRC-BBot [McAfee], WORM_RPCSDBOT.A [Trend], Trojan-Dropper.Win32.Small.bc [Kaspersky]
Type: Worm
Infection Length: 24,064 bytes; 43,520 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When W32.Randex.E runs, it does the following:
1. Copies itself as one of the following:
%System%\nstask32.exe
%System%\winlogin.exe
2. Copies itself to the Windows Temp folder using some randomly generated file names.
3. Creates one of the following:
%System%\win32sockdrv.dll
%System%\yuetyutr.dll
The worm injects the dropped DLL as a module into the Explorer.exe process. It also uses the dropped DLL file to spread itself through IRC, and uses the DLL to exploit the DCOM RPC vulnerability, as described in Microsoft Security Bulletin MS03-026.
4. Adds the value:
"NDplDeamon"="nstask32.exe"
or:
"NDpLDeamon"="winlogin.exe"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
5. One variant also adds a value:
"winlogon"="winlogin.exe"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6. Inserts the following lines to the System.ini file, if the system is Windows 95, 98, or Me:
[boot]
shell = explorer.exe <the worm file, for example, nstask32.exe>
7. In Windows NT/2000/XP, it modifies the "Shell"= value of the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
to one of the following:
"Shell"="explorer.exe winlogin.exe"
or:
"Shell"="explorer.exe nstask32.exe"
8. The worm contains its own IRC client, allowing it to connect to specified IRC servers and join a channel to listen for commands from the worm's creator.
One such command is to exploit the DCOM RPC vulnerability: The worm generates random IP addresses. Once the IP address is generated, it sends specially formed data, which exploits the DCOM RPC vulnerability, to that particular IP address.
9. Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
10. Creates a thread running as a TFTP server, listening on UDP port 69. When the worm receives a request from a computer to which it can connect using the DCOM RPC exploit, it will send Nstask32.exe or Winlogin.exe to that particular computer and tell it to execute the worm.