Randex Virus Removal Tool?

[Deverill]

Does anyone know of a removal tool for the Randex virus that works? We have hit the search engines and couldn't find anything.

 

Our network at work is a netwon't right now. The thing is bogging down to a crawl with all the worm traffic and we IT guys are getting slaughtered on this one. It's even causing accounts to lock out because of bad password attempts.

 

The only thing we have seen is "randex" and that's from our symantec corporate edition AV software.

 

If anyone has any suggestions I'm all ears.

[TCH-Thomas]

Jim,

Try searching:

http://securityresponse.symantec.com/avcenter/vinfodb.html

 

I found lots of info, but there are a lot of variants.

[Deverill]

Yes, that is true and unfortunately the only thing Symantec has is a "update our definitions and here's how to manually remove it." They don't actually remove the bug.

 

The bad thing is that our defs were updated last Wednesday so how did this old thing get in there? I'm really wondering if it's a new variant or a new worm completely.

 

Thanks for the pointer Thomas.

[GroovyFish]

Jim,

 

Don't know if this helps, but I found this on another forum. You don't indicate which version of Randex you have.

 

Now, unfortunately there is worse news: randex.e

uses an RPC DCOM exploit that is in Windows machines from Windows 95 up through XP, with the exception of Microsft IIS (Internet Information Server). It has been known to attack and infect Windows 98 and up through XP, ATM.

 

It has been shown that you can manually remove it, the instructions are in the virus encyclopedia at Symantec. I do not know much about it, it would appear to be primarily an IRC spread worm with spreading also on ports used by chats (IRC, Internet Relay Chat). I have not yet seen an autoremover for it as a stand-alone tool, but House Call ( http://www.antivirus.com ) by Trend Micro can kill it. Norton can find it.

 

If I find anything else, I will post it.

[GroovyFish]

I found this also removal tool: (never heard of the company so I am not vouching for it) G DATA Software

[GroovyFish]

AND...I found this at CIS Network Security Group:

 

Randex is a network aware worm that attacks administrator passwords and installs the backdoor trojan Backdoor.Roxy. Randex.D is also known as W32/Slanper.worm to McAfee and some other anti-virus companies.

[Madmanmcp]

Well if the one site is correct and it is spreading via IRC you can start blocking ports commonly used by IRC and see if this slows or stops its traffic.

 

Lets see now. port 23 and 1088 are used as is 113 for identd. you also log into port 6667, 6668 or 6669 I believe.

 

Start locking those ports down on firewalls or each individual computer and see if thats the ticket.

[Deverill]

Awesome! Thanks you two!

 

You obviously run in different circles than I and I appreciate the help!

[GroovyFish]

You're welcome! Were you able to stop it?

[Deverill]

Still working - we have about 500 computers in 5 states. It may be early next week before we squash the baddie but your info will help.