Home > Threat descriptions >

Plexus.A

Classification

Category: Malware

Type: Worm

Aliases: Worm:W32/Yaha.E, Plexus.A, I-Worm.Plexus.a

Summary


The Plexus.A worm was found on June 3th, 2004. This worm spreads through Kazaa shares, email and through several vulnerabilities.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm spreads using vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' and MS03-026.

Installation to system

Plexus.A will copy itself within the Windows directory structure and set a Registry entry to point to its executable. The added key is as follows:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NvClipRsv" = "%winsysdir%\upu.exe"
 

where %winsysdir% represents Windows System32 folder name.

P2p Spreading

When spreading through shares, the filenames used are:

ICQBomber.exe
hx00def.exe
YahooDBMails.exe
UnNukeit9xNTICQ04noimageCrk.exe
Shrek_2.exe
InternetOptimizer1.05b.exe
AVP5.xcrack.exe
Email spreading

The email in which the worm will spread have the following appearances.

Subject: RE: order Body: Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!

 Seya, man.
P.S. Don't forget my fee ;)
Attachment: SecUNCE.exe
Subject: For you Body: Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
 Your Liza
AtlantI.exe Subject: Hi, Mike Body: My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
And please do not distribute it. It's private.
Attachment: AGen1.03.exe
Subject:Good offer. Body: Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it. You can see that all
information is real. If you want to buy full base, pl
ease reply me...
Attachment:demo.exe
Subject: RE: Body: Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attachment: release.exe
Payload

Plexus will attempt to prevent users of Kaspersky products to download updates from the company's servers.

Backdoor

It will open the port 1250 allowing an attacker to upload additional components to the machine.