Content

W32/Plexus.a@MM

Type
Virus
SubType
Internet Worm
Discovery Date
06/03/2004
Length
16,208 bytes (FSG packed)
Minimum DAT
4365 (06/09/2004)
Updated DAT
4896 (11/15/2006)
Minimum Engine
5.1.00
Description Added
06/03/2004
Description Modified
06/14/2004 6:32 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.techweb.com/wire/story/TWB20040603S0007

This worm propagates via the following vectors:

  • by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
  • by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
  • by mailing itself to email addresses harvested from the victim machine (spoofing the From: address) 
  • by copying itself over the network

To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Mail Propagation

The virus contains its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files on local and mapped drives on the victim machine. Files with the following extensions are trawled:

  • htm
  • html
  • php
  • tbb
  • txt

The From: address of sent messages is spoofed (it may use strings it carries, or email addresses it extracts from the victim machine).

The virus specifically excludes certain email addresses from its target list. It will not mail itself to addresses containing one many strings it carries in its body.

Outgoing messages bear the following characteristics:

Subject: One of the following subject lines is used:

  • RE: order
  • Good offer.
  • For you
  • RE:
  • Hi, Mike

Attachment: The file attachment will have one of the following filenames:

  • SecUNCE.exe
  • AtlantI.exe
  • AGen1.03.exe
  • demo.exe
  • release.exe

Message Body: May be one of the following:

  • Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
  • Hi, my darling :)
    Look at my new screensaver. I hope you will enjoy...
    Your Liza
  • Hi.
    Here is the archive with those information, you asked me.
    And don't forget it is strongly confidential!!!
    Seya, man.
    P.S. Don't forget my fee ;)
  • My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
    And please do not distribute it. It's private.
  • Hi, Nick. In this archive you can find all those things, you asked me.
    See you, Steve.

Share Propagation

The virus copies itself to available network resources and the KaZaa shared folder using the following filenames:

  • AVP5.xcrack.exe
  • ICQBomber.exe
  • hx00def.exe
  • InternetOptimizer1.05b.exe
  • Shrek_2.exe
  • UnNukeit9xNTICQ04noimageCrk.exe
  • YahooDBMails.exe

BackDoor Component

The virus opens port 1250 (TCP) on the victim machine. This enables the hacker to remotely upload and execute a file on an infected machine. Upon such a connection, the worm saves the uploaded file as _UP.EXE in temporary directory, and executes it.

Symptoms

The virus overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.

Installation

The virus installs itself as UPU.EXE in the system directory on the victim machine, for example:

  • C:\WINNT\SYSTEM32\UPU.EXE

A Registry key to run the virus a system startup is also set:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "NvClipRsv" = C:\WINNT\SYSTEM32\UPU.EXE

The virus opens port 1250 (TCP) on the victim machine (file upload backdoor - see above). Additionally, other random ports are opened as well.

A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs.  The following Window may be displayed:

Method of Infection

This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Plexus.a (Kaspersky)
  • W32.Explet.A@mm (Symantec)

Characteristics

Characteristics -

-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.techweb.com/wire/story/TWB20040603S0007

This worm propagates via the following vectors:

  • by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
  • by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
  • by mailing itself to email addresses harvested from the victim machine (spoofing the From: address) 
  • by copying itself over the network

To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Mail Propagation

The virus contains its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files on local and mapped drives on the victim machine. Files with the following extensions are trawled:

  • htm
  • html
  • php
  • tbb
  • txt

The From: address of sent messages is spoofed (it may use strings it carries, or email addresses it extracts from the victim machine).

The virus specifically excludes certain email addresses from its target list. It will not mail itself to addresses containing one many strings it carries in its body.

Outgoing messages bear the following characteristics:

Subject: One of the following subject lines is used:

  • RE: order
  • Good offer.
  • For you
  • RE:
  • Hi, Mike

Attachment: The file attachment will have one of the following filenames:

  • SecUNCE.exe
  • AtlantI.exe
  • AGen1.03.exe
  • demo.exe
  • release.exe

Message Body: May be one of the following:

  • Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
  • Hi, my darling :)
    Look at my new screensaver. I hope you will enjoy...
    Your Liza
  • Hi.
    Here is the archive with those information, you asked me.
    And don't forget it is strongly confidential!!!
    Seya, man.
    P.S. Don't forget my fee ;)
  • My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
    And please do not distribute it. It's private.
  • Hi, Nick. In this archive you can find all those things, you asked me.
    See you, Steve.

Share Propagation

The virus copies itself to available network resources and the KaZaa shared folder using the following filenames:

  • AVP5.xcrack.exe
  • ICQBomber.exe
  • hx00def.exe
  • InternetOptimizer1.05b.exe
  • Shrek_2.exe
  • UnNukeit9xNTICQ04noimageCrk.exe
  • YahooDBMails.exe

BackDoor Component

The virus opens port 1250 (TCP) on the victim machine. This enables the hacker to remotely upload and execute a file on an infected machine. Upon such a connection, the worm saves the uploaded file as _UP.EXE in temporary directory, and executes it.

Symptoms

Symptoms -

The virus overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.

Installation

The virus installs itself as UPU.EXE in the system directory on the victim machine, for example:

  • C:\WINNT\SYSTEM32\UPU.EXE

A Registry key to run the virus a system startup is also set:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "NvClipRsv" = C:\WINNT\SYSTEM32\UPU.EXE

The virus opens port 1250 (TCP) on the victim machine (file upload backdoor - see above). Additionally, other random ports are opened as well.

A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs.  The following Window may be displayed:

Method of Infection

Method of Infection -

This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A