VirusW32/Randex.C
Analysis
- Virus is 32bit with a compressed size of 40,960
bytes and a file date of June 10, 2003
- Virus uses imports from MPR.DLL to enumerate network
connections and attempt to connect with them in an
effort to spread to that system – virus is also
related to Backdoor.Sdbot in some aspects
- Virus may exist as the file GESFM32.EXE or MSMONK32.EXE
in the Windows\System folder on an infected machine
- If the virus is activated, it will run memory resident
and copy itself to the Windows\System folder and modify
the registry to load at Windows startup –
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Netview = gesfm32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Netview = gesfm32.exe
- The virus will then attempt to search for machines
on the local area network and attempt to connect with
them using a dictionary attack method, then write
a copy of itself to that machine into the System folder
and initiate execution of the file remotely
- Virus will also attempt to scan IP addresses in
an attempt to identify if they are using file share
and attempt to infect that target
- If viable targets are located, virus will attempt
to copy itself to the c$\System32 or Admin$\System32
share as msmonk32.exe then issue a remote instruction
to run the file
- Virus attempts to connect to the IP address 217.211.72.145
persistently
- Virus also serves as an IRC bot allowing a hacker
or group of hackers to issue commands such as sending
messages or issuing SYN floods
- Virus contains the string “monk.10 420420”
in its compressed body
