Win32/Randex is a family of worms that targets computers running Microsoft Windows 9x, Windows NT 4.0, Windows 2000, Windows Server 2003, and Windows XP. The worm scans randomly generated IP addresses to attempt to spread to network shares with weak passwords. After the worm infects a computer, it connects to an IRC server to receive commands from the attacker. If your computer is infected by this worm, you may notice crashes or slowdowns during normal operation.

Threat behavior

When Win32/Randex runs, it copies itself to the system folder. It may add a value to the following registry keys:
This value causes the worm to run when Windows restarts.
The Win32/Randex worm may connect to randomly generated IP addresses through TCP port 445. The worm then uses a predefined list of weak passwords to attempt log on to writeable network shares on remote computers. After gaining access, the worm copies itself to the remote computer and creates a task to run the copy.
The Win32/Randex worm connects to a remote IRC server and joins a specific channel to receive commands from attackers. Upon successful installation, the worm notifies attackers through a private message. Attackers can then use the established IRC channel to perform backdoor actions such as launching distributed denial of service (DDoS) attacks against IP addresses, scanning for vulnerable computers with weak administrator passwords, downloading remote files and running them, retrieving computer configuration information, retrieving CD keys of popular games, joining or leaving specific IRC channels, adding or removing IRC users, and updating the worm.
Some variants of the worm also drop a backdoor Trojan component, which opens TCP ports and acts as an HTTP proxy.


If your computer is infected by Win32/Randex, you may notice system performance degradation and slower network connectivity.


Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use strong passwords.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Highlight a connection that you want to help protect, and click Change settings of this connection.
  4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates
  1. Click Start, and click Control Panel.
  2. Click Performance and Maintenance. If you do not see Performance and Maintenance , click Switch to Category View.
  3. Click System.
  4. Click Automatic Updates, and select Keep my computer up to date.
  5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
  6. If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.

Use strong passwords

A strong password has at least eight characters and includes a combination of letters, numbers, and symbols. It is easy for you to remember, but difficult for others to guess. Weak passwords include any words in dictionaries, names, dates, consecutive letters or numbers, common words with symbol substitutions (for example, p@ssw0rd), and so on.

Alert level: Severe
This entry was first published on: Jan 13, 2005
This entry was updated on: Sep 19, 2006

This threat is also detected as:
  • W32.Randex (Symantec)
  • W32/Sdbot.worm (McAfee)
  • WORM_RANDEX (Trend Micro)
  • W32/Randex (Sophos)