"Randon" Threatens Port 445!
04 Mar 2003
A new blended worm / trojan threat appears.
Kaspersky Lab, an international data security software developer, reports registered infections at the hands of the new network worm "Randon". Kaspersky Lab has already received several incident reports from both Russian and the Netherlands connected with this malicious program.
"Randon" spreads via IRC channels and local area networks and infects computers running Windows 2000 and Windows XP. To penetrate computer systems the worm registers itself in the IRC server (or local area network), scans for all present users and connects to victim computers via port 445 and attempts to gain access by using a fixed list of the most commonly used passwords. When "Randon" manages to successfully break-in it proceeds to transmit to this system the Trojan program "Apher", which then, from a remote web site, loads worm's remaining components (a total of 13 files, including a full-fledged mIRC client for work with IRC channels).
"Randon" installs its components to the Windows system directory, registers its main file and the mIRC client in the Windows registry auto-run key, and then executes them. To keep its activities secret, "Randon" uses a special utility called "HideWindows", which is also part of the worm. "HideWindows" renders the worm invisible to victims and its active processes can only be detected in the Windows task manager.
Fortunately "Randon" does not carry out any destructive functions. Collateral effects on infected machines include a high volume of redundant or excess traffic and the overflow of IRC channels. To defend against this worm it is enough to load an updated anti-virus program, install a personal firewall such as Kaspersky® Anti-Hacker or use long access passwords.
The defense against "Randon" has already been added to the Kaspersky® Anti-Virus databases.
A more detailed description of the "Randon" worm can be found in the Kaspersky Virus Encyclopedia