Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Plexus.a

Other versions: .b

Aliases
Email-Worm.Win32.Plexus.a (Kaspersky Lab) is also known as: I-Worm.Plexus.a (Kaspersky Lab), W32/Plexus.a@MM (McAfee),   W32.Explet.A@mm (Symantec),   Win32.HLLM.Expletus.45056 (Doctor Web),   W32/Dumaru-AK (Sophos),   Win32/Plexus.A@mm (RAV),   WORM_PLEXUS.A (Trend Micro),   Worm/Plexus.B (H+BEDV),   W32/Plexus.A (FRISK),   Win32:Plexus (ALWIL),   Worm/Plexus.A (Grisoft),   Win32.Worm.Plexus.A (SOFTWIN),   W32/Plexus.A.worm (Panda),   Win32/Plexus.A (Eset)
Description added Jun 03 2004
Behavior Email Worm
Technical details

Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively. In addition, Plexus carries a potentially dangerous payload.

Plexus contains rewritten code from Mydoom. It is written in MS Visual C++ and compressed with FSG. The compressed file is 40800 bytes in size while the decompressed file is 88570 bytes in size.

Installation

Upon execution, the worm displays a fake error message, chosen at random from those listed below:

CRC checksum failed.
Pack method not implemented.
Could not initialize installation. File size expected=26523, size returned=26344.
File is corrupted.

Plexus copies itself into the Windows\System32 directory as upu.exe. It then installs two files:

a file named setupex.exe to the Windows\System32 directory

a file named svchost.exe to the Windows root directory

Setupex.exe is Backdoor.Dumaru.ai, a backdoor program, which is writtten in Microsoft Visual C++, and compressed using FSG. The compressed file is 21088 bytes in size, and 53772 when uncompressed.

Svchost.exe is the main module of Plexus.a. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16208 bytes in size and 57856 bytes when decompressed. The text inside this file is encrypted, and contains the line:

"-== KAV I'm Expletus !!!. Made in China. ==-"
Plexus then registers itself in the system registry auto-run key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "NvClipRsv"=[path to the executable file]

Plexus also creates the unique identifier 'expletus' to identify itself in the system, and to prevent more than one copy of the worm being executed on each infected machine.

Propagation

Via LANs and file-sharing networks

Plexus copies itself to shared folders and accessible network resources under the following names:

AVP5.xcrack.exe
hx00def.exe
ICQBomber.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe

Via MS Windows vulnerabilities

LSASS vulnerability

Plexus exploits the LSASS vulnerability described in MS Security Bulletin MS04-011.

Microsoft released a patch for this vulnerability on April 13, 2004. The patch is available in the MS Security Bulletin listed above.

RPC DCOM vulnerability

Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.

The MS patch for this vulnerability is availble in the MS Security Bulletin listed above.

Via infected email attachments

Plexus searches local disks for files with the following extensions:

htm
html
php
tbb
txt

and sends copies of itself to all email addresses found in these files.

The infected email contains one of the following sets of text:

Variant 1

Message header
RE: order
Message body
Hi. Here is the archive with those information, you asked me.


And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget
my fee ;)
Attachment name
SecUNCE.exe

Variant 2

Message header
For you
Message body
Hi, my darling :) Look at my new screensaver. I hope you will
enjoy...
 Your Liza
Attachment name
AtlantI.exe

Variant 3

Message header
Hi, Mike
Message body
My friend gave me this account generator for
 http://www.pantyola.com I wanna share it with you :) 
And please do not distribute it. It's private.
Attachment name
Agen1.03.exe

Variant 4

Message header
Good offer
Message body
Greets! I offer you full base of accounts with passwords of mail
server
 yahoo.com. Here is archive with small part of it. You can see that all 
information
is real. If you want to buy full base, please reply me...
Attachment name
demo.exe

Variant 5

Message header
RE:
Message body
Hi, Nick. In this archive you can find all those things, you
asked me. 
See you. Steve
Attachment name
release.exe

Payload

Plexus attempts to prevent Kaspersky Anti- Virus databases from being updated by replacing the contents of the 'hosts' file in Windows\System32\drivers\etc\hosts with the following data: 

127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com

If your machine is infected, you are recommended to delete this file before downloading antivirus database updates.

Trojan functions

Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched.

 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com