Threat description




The Plexus.A worm was found on June 3th, 2004. This worm spreads through Kazaa shares, email and through several vulnerabilities.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm spreads using vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' and MS03-026.

Installation to system

Plexus.A will copy itself within the Windows directory structure and set a Registry entry to point to its executable. The added key is as follows:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "NvClipRsv" = "%winsysdir%\upu.exe"   

where %winsysdir% represents Windows System32 folder name.

P2p Spreading

When spreading through shares, the filenames used are:

ICQBomber.exe  hx00def.exe  YahooDBMails.exe  UnNukeit9xNTICQ04noimageCrk.exe  Shrek_2.exe  InternetOptimizer1.05b.exe  AVP5.xcrack.exe  
Email spreading

The email in which the worm will spread have the following appearances.

Subject: RE: order Body: Here is the archive with those information, you asked me.  And don't forget, it is strongly confidencial!!!     Seya, man.  P.S. Don't forget my fee ;)  Attachment: SecUNCE.exe  Subject: For you Body: Hi, my darling :)  Look at my new screensaver. I hope you will enjoy...         Your Liza  AtlantI.exe Subject: Hi, Mike Body: My friend gave me this account generator for I wanna share it with you :)  And please do not distribute it. It's private.  Attachment: AGen1.03.exe  Subject:Good offer. Body: Greets! I offer you full base of accounts with passwords of mail server Here is archive with small part of it. You can see that all  information is real. If you want to buy full base, pl  ease reply me...  Attachment:demo.exe  Subject: RE: Body: Hi, Nick. In this archive you can find all those things, you asked me.  See you. Steve  Attachment: release.exe  

Plexus will attempt to prevent users of Kaspersky products to download updates from the company's servers.


It will open the port 1250 allowing an attacker to upload additional components to the machine.


F-Secure Anti-Virus detects Plexus.A worm with the following update:

Detection Type: PC

Database: 2004-06-03_01

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info