Threat Descriptons



Category :


Type :


Aliases :

Worm:W32/Yaha.E, Plexus.A, I-Worm.Plexus.a


The Plexus.A worm was found on June 3th, 2004. This worm spreads through Kazaa shares, email and through several vulnerabilities.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm spreads using vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' and MS03-026.

Installation to system

Plexus.A will copy itself within the Windows directory structure and set a Registry entry to point to its executable. The added key is as follows:

"NvClipRsv" = "%winsysdir%\upu.exe"

where %winsysdir% represents Windows System32 folder name.

P2p Spreading

When spreading through shares, the filenames used are:


Email spreading

The email in which the worm will spread have the following appearances.

Subject: RE: order Body: Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!

 Seya, man.
P.S. Don't forget my fee ;)
Attachment: SecUNCE.exe
Subject: For you Body: Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
 Your Liza
AtlantI.exe Subject: Hi, Mike Body: My friend gave me this account generator for I wanna share it with you :)
And please do not distribute it. It's private.
Attachment: AGen1.03.exe
Subject:Good offer. Body: Greets! I offer you full base of accounts with passwords of mail server Here is archive with small part of it. You can see that all
information is real. If you want to buy full base, pl
ease reply me...
Subject: RE: Body: Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attachment: release.exe


Plexus will attempt to prevent users of Kaspersky products to download updates from the company's servers.


It will open the port 1250 allowing an attacker to upload additional components to the machine.

Peace of mind against online threats

F-Secure Total is a security suite that protects all your phones and computers in real time, 24/7 and with award-winning accuracy. Read more about Total and try it free for 30 days, no credit card required.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.