W32/Randex.B
Analysis
- Virus is 32bit, with a UPX compressed size of 32,256
bytes
- Virus bears resemblance to W32/Randex.c in spread
method and mechanism
- If virus is run, it creates a Mutex named “msejaer32”
and runs memory resident
- The virus may run in as many as 40 threads simultaneously
and attempts to connect in rapid succession to numerous
and random IP addresses across the Internet in an
effort to locate open shares and copy itself to that
potential target as the file “msmsgri.exe”
- Virus uses the import “WNetAddConnection2A”
from MPR.DLL in order to connect with the target,
and uses the import “NetScheduleJobAdd”
from “NETAPI32.DLL in order to initiate running
the virus on the remote host
- If viable targets are located, virus will attempt
to copy itself to the c$\System32 or Admin$\System32
share as “msmsgri.exe” then issue a remote
instruction to run the file
- Virus may attempt to connect simultaneously to
as many as 20 different IP addresses
- Virus deletes keys in the registry which store
IP address configuration data –
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
{machine specific CSLID value}\Parameters\Tcpip\
"DhcpDefaultGateway"
"DhcpSubnetMaskOpt"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Dhcp\Parameters\
"{machine specific CSLID value}"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NetBT\
Parameters\Interfaces\Tcpip_{machine specific CSLID value}\
"DhcpNameServerList"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
Tcpip\Parameters\
"DhcpDomain"
"DhcpNameServer"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{machine specific CSLID value}\
"DhcpDefaultGateway"
"DhcpDomain"
"DhcpNameServer"
"DhcpSubnetMaskOpt"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
{machine specific CSLID value}\Parameters\Tcpip\
"DhcpDefaultGateway"
"DhcpSubnetMaskOpt"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Dhcp\Parameters\
"{machine specific CSLID value}"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\
Parameters\Interfaces\Tcpip_{machine specific CSLID value}\
"DhcpNameServerList"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\
"DhcpDomain"
"DhcpNameServer"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\{machine specific CSLID value}
"DhcpDefaultGateway"
"DhcpDomain"
"DhcpNameServer"
"DhcpSubnetMaskOpt"
-
Virus changes keys in the registry which store IP address configuration data –
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
{machine specific CSLID value}\Parameters\Tcpip\
"DhcpIPAddress" = 169.254.214.144
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0
"Lease" = 00, 00, 00, 00HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\
Parameters\Interfaces\{machine specific CSLID value}\
"DhcpIPAddress" = 169.254.214.144
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0
"IPAutoconfigurationAddress" = 169.254.214.144
"Lease" = 00, 00, 00, 00HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
{machine specific CSLID value}\Parameters\Tcpip\
"DhcpIPAddress" = 169.254.214.144
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\{machine specific CSLID value}
"DhcpIPAddress" = 169.254.214.144
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0
"IPAutoconfigurationAddress" = 169.254.214.144
-
Virus may add an entry into the system registry in order to load at Windows startup –
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\
"mssyslanhelper" = C:\Windows\System32\msmsgri.exe
-
Virus attempts to connect to the IP address 217.21.117.104 using TCP port 54545 – this connection appears to be in Rhode Island, U.S.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |