In the wake of Donk-D, comes the Randex worms

By Alun Williams

Posted on 20 Oct 2003 at 17:09

Following in the recent wake of Donk-D comes reports of more network worms, according to anti-virus specialist Sophos.

Like the Donk worm, the Randex variants are network worms with backdoor capabilities. Potentially, this allows a remote attacker to control an infected computer. Whereas Donk exploited the now-familiar vulnerabilities in the Windows RPCSS service, the Randex worms work via the IRC (Internet Relay Chat) channels that underpin instant messaging.

When first run, Randex-Q copies itself to the Windows system folder as Musirc4.71.exe. Randex-I, by contrast, copies itself to the same folder as msnv32.exe. Subsequently, the worms try to connect to remote IRC servers and they will also run in the background listening for commands to execute.

While Sophos has received several reports of Randex-Q in the wild, there has been just one report of Randex-I. An indication, perhaps, of the relative virulence of the worms.

You can find more information on Randex-I on the Sophos website. And ditto for Randex-I.