W32/Plexus.a@MM

This page shows details and results of our analysis on the malware W32/Plexus.a@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

16,208 bytes (FSG packed)

Description Added

2004-06-03

Description Modified

2004-06-14

Malware Proliferation

Characteristics

-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.techweb.com/wire/story/TWB20040603S0007


This worm propagates via the following vectors:

  • by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
  • by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
  • by mailing itself to email addresses harvested from the victim machine (spoofing the From: address) 
  • by copying itself over the network

To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Mail Propagation

The virus contains its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files on local and mapped drives on the victim machine. Files with the following extensions are trawled:

  • htm
  • html
  • php
  • tbb
  • txt

The From: address of sent messages is spoofed (it may use strings it carries, or email addresses it extracts from the victim machine).

The virus specifically excludes certain email addresses from its target list. It will not mail itself to addresses containing one many strings it carries in its body.

Outgoing messages bear the following characteristics:

Subject: One of the following subject lines is used:

  • RE: order
  • Good offer.
  • For you
  • RE:
  • Hi, Mike

Attachment: The file attachment will have one of the following filenames:

  • SecUNCE.exe
  • AtlantI.exe
  • AGen1.03.exe
  • demo.exe
  • release.exe

Message Body: May be one of the following:

  • Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
  • Hi, my darling :)
    Look at my new screensaver. I hope you will enjoy...
    Your Liza
  • Hi.
    Here is the archive with those information, you asked me.
    And don't forget it is strongly confidential!!!
    Seya, man.
    P.S. Don't forget my fee ;)
  • My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
    And please do not distribute it. It's private.
  • Hi, Nick. In this archive you can find all those things, you asked me.
    See you, Steve.

Share Propagation

The virus copies itself to available network resources and the KaZaa shared folder using the following filenames:

  • AVP5.xcrack.exe
  • ICQBomber.exe
  • hx00def.exe
  • InternetOptimizer1.05b.exe
  • Shrek_2.exe
  • UnNukeit9xNTICQ04noimageCrk.exe
  • YahooDBMails.exe

BackDoor Component

The virus opens port 1250 (TCP) on the victim machine. This enables the hacker to remotely upload and execute a file on an infected machine. Upon such a connection, the worm saves the uploaded file as _UP.EXE in temporary directory, and executes it.

Symptoms

The virus overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.

Installation

The virus installs itself as UPU.EXE in the system directory on the victim machine, for example:

  • C:\WINNT\SYSTEM32\UPU.EXE

A Registry key to run the virus a system startup is also set:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "NvClipRsv" = C:\WINNT\SYSTEM32\UPU.EXE

The virus opens port 1250 (TCP) on the victim machine (file upload backdoor - see above). Additionally, other random ports are opened as well.

A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs.  The following Window may be displayed:

Method of Infection

This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants