Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Plexus.A


Aliases:


Worm:W32/Yaha.E
Plexus.A
I-Worm.Plexus.a

Malware
Worm
W32

Summary

The Plexus.A worm was found on June 3th, 2004. This worm spreads through Kazaa shares, email and through several vulnerabilities.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

The worm spreads using vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' and MS03-026.


Installation to system

Plexus.A will copy itself within the Windows directory structure and set a Registry entry to point to its executable. The added key is as follows:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "NvClipRsv" = "%winsysdir%\upu.exe"
 

where %winsysdir% represents Windows System32 folder name.


P2p Spreading

When spreading through shares, the filenames used are:

ICQBomber.exe
 hx00def.exe
 YahooDBMails.exe
 UnNukeit9xNTICQ04noimageCrk.exe
 Shrek_2.exe
 InternetOptimizer1.05b.exe
 AVP5.xcrack.exe


Email spreading

The email in which the worm will spread have the following appearances.

Subject: RE: order
Body: Here is the archive with those information, you asked me.
 And don't forget, it is strongly confidencial!!!
    Seya, man.
 P.S. Don't forget my fee ;)

Attachment: SecUNCE.exe

Subject: For you
Body: Hi, my darling :)
 Look at my new screensaver. I hope you will enjoy...
        Your Liza

AtlantI.exe
Subject: Hi, Mike
Body: My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
 And please do not distribute it. It's private.

Attachment: AGen1.03.exe

Subject:Good offer.
Body: Greets! I offer you full base of accounts with passwords of mail server
 yahoo.com. Here is archive with small part of it. You can see that all
 information is real. If you want to buy full base, pl
 ease reply me...

Attachment:demo.exe

Subject: RE:
Body: Hi, Nick. In this archive you can find all those things, you asked me.
 See you. Steve

Attachment: release.exe


Payload

Plexus will attempt to prevent users of Kaspersky products to download updates from the company's servers.


Backdoor

It will open the port 1250 allowing an attacker to upload additional components to the machine.



Detection

F-Secure Anti-Virus detects Plexus.A worm with the following update:

Detection Type: PC
Database: 2004-06-03_01



Technical Details: Ero Carrera, June 4th, 2004



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files