The Plexus.A worm was found on June 3th, 2004. This worm spreads through Kazaa shares, email and through several vulnerabilities.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The worm spreads using vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' and MS03-026.
Installation to system
Plexus.A will copy itself within the Windows directory structure and set a Registry entry to point to its executable. The added key is as follows:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "NvClipRsv" = "%winsysdir%\upu.exe"
where %winsysdir% represents Windows System32 folder name.
When spreading through shares, the filenames used are:
ICQBomber.exe hx00def.exe YahooDBMails.exe UnNukeit9xNTICQ04noimageCrk.exe Shrek_2.exe InternetOptimizer1.05b.exe AVP5.xcrack.exe
The email in which the worm will spread have the following appearances.
Subject: RE: order Body: Here is the archive with those information, you asked me. And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;) Attachment: SecUNCE.exe Subject: For you Body: Hi, my darling :) Look at my new screensaver. I hope you will enjoy... Your Liza AtlantI.exe Subject: Hi, Mike Body: My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private. Attachment: AGen1.03.exe Subject:Good offer. Body: Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, pl ease reply me... Attachment:demo.exe Subject: RE: Body: Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve Attachment: release.exe
Plexus will attempt to prevent users of Kaspersky products to download updates from the company's servers.
It will open the port 1250 allowing an attacker to upload additional components to the machine.
F-Secure Anti-Virus detects Plexus.A worm with the following update:
Detection Type: PC
Technical Details:Ero Carrera, June 4th, 2004