This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
16,208 bytes (FSG packed)
-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.techweb.com/wire/story/TWB20040603S0007
This worm propagates via the following vectors:
To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:
The virus contains its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files on local and mapped drives on the victim machine. Files with the following extensions are trawled:
The From: address of sent messages is spoofed (it may use strings it carries, or email addresses it extracts from the victim machine).
The virus specifically excludes certain email addresses from its target list. It will not mail itself to addresses containing one many strings it carries in its body.
Outgoing messages bear the following characteristics:
Subject: One of the following subject lines is used:
Attachment: The file attachment will have one of the following filenames:
Message Body: May be one of the following:
The virus copies itself to available network resources and the KaZaa shared folder using the following filenames:
The virus opens port 1250 (TCP) on the victim machine. This enables the hacker to remotely upload and execute a file on an infected machine. Upon such a connection, the worm saves the uploaded file as _UP.EXE in temporary directory, and executes it.
The virus overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.
The virus installs itself as UPU.EXE in the system directory on the victim machine, for example:
A Registry key to run the virus a system startup is also set:
The virus opens port 1250 (TCP) on the victim machine (file upload backdoor - see above). Additionally, other random ports are opened as well.
A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs. The following Window may be displayed:
This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: