SHARE
THIS ON

Facebook Twitter Google Plus

IRC-Worm.Randon.I

LOW
MEDIUM
1,274,368 / 1,354,240 bytes
(N/A)

Symptoms

  • Presence of the registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\explorer= "c:\windows\system\expl32.exe"].

  • Presence of the following files in Windows\System folder:
    aim.txt
    AImIRC.ini
    bla.txt
    bnc.dll
    config.hfg
    crazy.exe
    cscan.dat
    dtkode.txt
    empavms.exe
    EXPL32.EXE
    impvms.dll
    innocent
    ipservers.txt
    lan.bat
    Libparse.exe
    miconfig.exe
    moo.dll
    msccl.dll
    newuser.bat
    nhtml.dll
    nicks.txt
    nvdrv.ocx
    psexec.exe
    ratsou.exe
    reg.xpl
    remote.ini
    restart.exe
    script1.dll
    spig.txt
    sysboot.dll
    syste32.dll
    system.exe
    temp
    unicod_look
    unicod_ready
    werty.bat
    wincmd34.bat
    wind.dll
    WININET.DLL


    • Newer version of the worm will have these instead:

  • Presence of the registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass="%SYSTEM%\lsass.exe"]
    where %SYSTEM% points to Windows\System folder.

  • Presence of the following files in %SYSTEM% folder:
    aim.dll
    aim.txt
    boot.exe
    c.dll
    dr.exe
    empavms.exe
    flood.ocx
    gt.exe
    ipservers.dll
    java.dll
    lan.bat
    Libparse.exe
    lsass.exe
    miconfig.exe
    moo.dll
    msccl.dll
    msconig.exe
    newuser.bat
    nhtml.dll
    ratsou.exe
    regedit.dll
    remote.ini
    restart.exe
    screen.dll
    sipg.ocx
    start.ocx
    sysboot.dll
    sysconfig.ocx
    syste32.dll
    temp
    unicod_look
    unicod_ready
    users.dll
    werty.bat
    wincmd34.bat
    wind.dll
    zhid.exe

    • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version.

    2. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.


      1. Select Run... from Start, then type regedit and press Enter;
      2. Delete the following key:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsass="%SYSTEM%\lsass.exe"]
        where %SYSTEM% points to Windows\System folder.

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with IRC-Worm.Randon.I

    Analyzed By

    Patrick Vicol BitDefender Virus Researcher

    Technical Description:

    This worm spreads through IRC and is in fact a collection of backdoors, trojans, ddos programs and exploits, all packed in one executable file. The worm arrives as an exe file, through Mirc. Once this file is executed, the aforementioned registry key and files are created, and EXPL32.EXE (or LSASS.EXE for newer version) is run, thus giving the attacker complete control over the infected computer. It can download and install newer versions of itself from an internet address, files GT.EXE or GT2.EXE using its downloader component.
    Antivirus Software For Home Users
    Business Security Solutions
    Latest News
    Tools & Resources