Virus Information

Plexus uses several ways for spreading. 1) It contains network-spreading code, via the RPC-DCOM (Security Bulletin MS03-026) and LSASS (Security Bulletin MS04-011) vulnerabilities. 2) It contains an internal smtp engine to mass-mail intself. When it finds a domain, the smtp engine attempts to use the "mx", "smtp", "mail", "mail1", "ns" and "gate" prefixes. The worm searches local folders for files with the "htm", "html", "php", "tbb", "txt" extensions for valid e-mail addresses and sends itself. The worm does not send mails to any e-mail addresses containing "syma", "icrosof", "msn.", "hotmail", "panda", "sopho", "borlan", "inpris", "example", "mydomai", "nodomai", "mysqlruslis", ".gov", "gov.", ".mil", "foo.", "unix", "math", "bsd", "mit.e", "gnu", "fsf.", "ibm.com", "google", "kernel", "linux", "fido", "usenet", "iana", "ietf", "rfc-ed", "sendmail", "arin.", "ripe.", "isi.e", "isc.o", "secur", "acketst", "pgp", "tanford.e", "utgers.ed", "mozilla". The messages are chosen from the following: Subject: "RE: order", attached file "SecUNCE.exe" Hi. Here is the archive with those information, you asked me. And dont forget, it is strongly confidencial!!! Seya, man. P.S. Dont forget my fee ;) Subject: "For you", attached file "AtlantI.exe" Hi, my darling :) Look at my new screensaver. I hope you will enjoy... Your Liza Subject: "Hi, Mike", attached file "Agen1.03.exe" My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. Its private. Subject: "Good offer", attached file "demo.exe" Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me... Subject: "RE", attached file "release.exe". Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve 3) It copies itself to network shares, and to the shared folders of file-sharing utilities, as "AVP5.xcrack.exe", "hx00def.exe", "ICQBomber.exe", "InternetOptimizer1.05b.exe", "Shrek_2.exe", "UnNukeit9xNTICQ04noimageCrk.exe", "YahooDBMails.exe". 4) It rewrites the %system32%\drivers\etc\hosts file with the following content: 127.0.0.1 downloads-eu1.kaspersky-labs.com 127.0.0.1 downloads2.kaspersky-labs.com 127.0.0.1 downloads4.kaspersky-labs.com 127.0.0.1 downloads1.kaspersky-labs.com 127.0.0.1 downloads-us1.kaspersky-labs.com Thus, it disables antivirus database updates for Kaspersky anti-virus. 5) It opens the port 1250, and waits for specific commands to download and execute a specific file. Version.B contains the same functionality as .A, but drops a copy of Backdoor.Rebbew (a full description of Backdoor.Rebbew is available here.

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.