January 05, esecurityplanet.com
Sophos issued a low−level alert for W32/Randon−AB, a multi−component network worm that attempts to spread by copying components of itself to and executing them on remote ADMIN$ shares with weak passwords, on Monday, January 5. One component of the worm, B4AK.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\SVCHOST.EXE. The main file is an SFX EXE which creates a folder called AL within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files. The worm adds an entry to the registry Run Key to run H00D.EXE on system restart.
Instructions for removing worms are at
http://www.sophos.com/virusinfo/analyses/w32randonab.htm l
Source:
http://www.esecurityplanet.com/alerts/article.php/3295121
Sophos issued a low−level alert for W32/Randon−AB, a multi−component network worm that attempts to spread by copying components of itself to and executing them on remote ADMIN$ shares with weak passwords, on Monday, January 5. One component of the worm, B4AK.EXE, then attempts to download and execute a copy of the worm from a remote URL as a file called C:\SVCHOST.EXE. The main file is an SFX EXE which creates a folder called AL within the Windows system folder and drops and executes several files, some of which are legitimate utilities or innocuous files. The worm adds an entry to the registry Run Key to run H00D.EXE on system restart.
Instructions for removing worms are at
http://www.sophos.com/virusinfo/analyses/w32randonab.htm l
Source:
http://www.esecurityplanet.com/alerts/article.php/3295121