McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• MultiDropper-KR (dropper)

Characteristics

This is a minor variant of W32/Plexus.a@MM , with minimal changes in the virus. It shares the same main characteristics, attempting to propagate via the following vectors:

• by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
• by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
• by mailing itself to email addresses harvested from the victim machine (spoofing the From: address) 
• by copying itself over the network

To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm is likely to be received in the form of a dropper, which upon execution drops the worm and a second binary to the victim machine. The dropper component is detected as MultiDropper-KR with the specified engine/DATs. The second file dropped is detected as BackDoor-CCT with the 4363 DATs or greater.

Symptoms

As for its predecessor, this variant overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.

Installation

When the dropper is executed, a fake error message is displayed. Multiple files are dropped on the victim machine:

The following are copies of the dropper (40,800 bytes):

• %SysDir%\SUPU.EXE
• %SysDir%\UPU.EXE

The following are copies of the virus (16,208 bytes):

• %WinDir%\SVCHOST.EXE

The following are copies of the dropped BackDoor-CCT trojan (21,088 bytes):

• %Startup%\SVCHOST.EXE
• %SysDir%\SETUPEX.EXE
• %SysDir%\SVOHOST.EXE

(where %Startup% is the Windows startup directory, and %SysDir% is the Windows system directory)

There are Registry modifications associated with the BackDoor-CCT  component - see that description for details of these.

Additionally, the following Registry key is added to run the virus at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "NvClipRsv" = C:\WINNT\SYSTEM32\SVCHOST.EXE

A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs.  The following Window may be displayed:

Method of Infection

This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.

Removal

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• MultiDropper-KR (dropper)

Characteristics

Characteristics -

This is a minor variant of W32/Plexus.a@MM , with minimal changes in the virus. It shares the same main characteristics, attempting to propagate via the following vectors:

• by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
• by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
• by mailing itself to email addresses harvested from the victim machine (spoofing the From: address) 
• by copying itself over the network

To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm is likely to be received in the form of a dropper, which upon execution drops the worm and a second binary to the victim machine. The dropper component is detected as MultiDropper-KR with the specified engine/DATs. The second file dropped is detected as BackDoor-CCT with the 4363 DATs or greater.

Symptoms

Symptoms -

As for its predecessor, this variant overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.

Installation

When the dropper is executed, a fake error message is displayed. Multiple files are dropped on the victim machine:

The following are copies of the dropper (40,800 bytes):

• %SysDir%\SUPU.EXE
• %SysDir%\UPU.EXE

The following are copies of the virus (16,208 bytes):

• %WinDir%\SVCHOST.EXE

The following are copies of the dropped BackDoor-CCT trojan (21,088 bytes):

• %Startup%\SVCHOST.EXE
• %SysDir%\SETUPEX.EXE
• %SysDir%\SVOHOST.EXE

(where %Startup% is the Windows startup directory, and %SysDir% is the Windows system directory)

There are Registry modifications associated with the BackDoor-CCT  component - see that description for details of these.

Additionally, the following Registry key is added to run the virus at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "NvClipRsv" = C:\WINNT\SYSTEM32\SVCHOST.EXE

A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs.  The following Window may be displayed:

Method of Infection

Method of Infection -

This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A