|
|
I-Worm.Plexus. Viruses Information
| Name: |
I-Worm.Plexus. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Plexus.a
Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively. In addition, Plexus carries a potentially dangerous payload.
Plexus contains rewritten code from Mydoom. It is written in MS Visual C++ and compressed with FSG. The compressed file is 40800 bytes in size while the decompressed file is 88570 bytes in size.
Installation
Upon execution, the worm displays a fake error message, chosen at random from those listed below:
CRC checksum failed.
Pack method not implemented.
Could not initialize installation. File size expected=26523, size returned=26344.
File is corrupted.
Plexus copies itself into the WindowsSystem32 directory as upu.exe. It then installs two files:
a file named setpupex.exe to the WindowsSystem32 directory
a file named svchost.exe to the Windows root directory
Setupex.exe is Backdoor.Dumaru.ai, a backdoor program, which is writtten in Microsoft Visual C++, and compressed using FSG. The compressed file is 21088 bytes in size, and 53772 when uncompressed.
Svchost.exe is the main module of Plexus.a. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16208 bytes in size and 57856 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
Plexus then registers itself in the system registry auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvClipRsv"=[path to the executable file]
Plexus also creates the unique identifier 'expletus' to identify itself in the system, and to prevent more than one copy of the worm being executed on each infected machine.
Propagation
Via LANs and file-sharing networks
Plexus copies itself to shared folders and accessible network resources under the following names:
AVP5.xcrack.exe
hx00def.exe
ICQBomber.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
Via MS Windows vulnerabilities
LSASS vulnerability
Plexus exploits the LSASS vulnerability described in >MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004. The patch is available in the MS Security Bulletin listed above.
RPC DCOM vulnerability
Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.
The MS patch for this vulnerability is availble in the MS Security Bulletin listed above.
Via infected email attachments
Plexus searches local disks for files with the following extensions:
htm
html
php
tbb
txt
and sends copies of itself to all email addresses found in these files.
The infected email contains one of the following sets of text:
Variant 1
Message header
RE: order
Message body
Hi. Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;)
Attachment name
SecUNCE.exe
Variant 2
Message header
For you
Message body
Hi, my darling :) Look at my new screensaver. I hope you will enjoyall Your Liza
Attachment name
AtlantI.exe
Variant 3
Message header
Hi, Mike
Message body
My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.
Attachment name
Agen1.03.exe
Variant 4
Message header
Good offer
Message body
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Attachment name
demo.exe
Variant 5
Message header
RE:
Message body
Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve
Attachment name
release.exe
Payload
Plexus attempts to prevent Kaspersky Anti- Virus databases from being updated by replacing the contents of the 'hosts' file in WindowsSystem32driversetchosts with the following data:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
If your machine is infected, you are recommended to delete this file before downloading antivirus database updates.
Trojan functions
Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Trivial.106.
I-Worm.Bri
IRC-Worm.Spt
Macro.Word97.Passbox.
TrojanSpy.Win32.KI
WinNT.RemE
Turn.55
Macro.Word97.Novosib.
Kolumna.204
Mefl.62
|
|
