The worm itself is a PE executable 102400 bytes long. It is not
encrypted, but there could appear encrypted versions of this worm
that might make its detection harder. The worm has a WinZip icon
pretending to be a self-extracting ZIP archive.
The Plage worm arrives as an e-mail attachment and being run
installs itself to system as INETD.EXE to root Windows folder.
The worm then modifies WIN.INI file and Registry to be run during
every further Windows sessions. Being active in memory the worm
communicates with MAPI-compatible e-mail browsers, looks for
unanswered messages and replies to them itself. The worm's reply
message looks like an ordinary autoreply that many people use
while they can't read their e-mails:
P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '
> Get your FREE P2000 Mail now! <
The worm's body is always attached to the message. The file name
of the attachment is randomly selected by the worm from the
When a recepient gets this message and clicks on the attachment
(which, he thinks is a ZIP archive) the worm infects his system
as well. First the worm outputs a WinZip Self-Extractor -like
When a user clicks on 'Unzip' or 'Run WinZip' buttons the worm
displays a fake error message and installs itself to system:
If 'Close' button is clicked the worm installs itself to system
and exits without displaying anything. If any other button is
clicked a standard Windows error message is displayed and the
worm installs itself to system as well.
Being active the worm checks date and time and on Wednesdays
right after midnight it tries to display a dialog with the
and the following text:
Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a.
The worm doesn't have any destructive payload. But as it spreads
itself with a trustworthy message so it may become widespread
[Analysis: Alexey Podrezov, F-Secure, January 2000]