Home / malware Win32.Worm.Plexus.A/B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Plexus.A/B is also known as I-Worm.Plexus.A, (Kaspersky, AV.
Explanation :
Plexus uses several ways for spreading.
1) It contains network-spreading code, via the RPC-DCOM (Security Bulletin MS03-026) and LSASS (Security Bulletin MS04-011) vulnerabilities.
2) It contains an internal smtp engine to mass-mail intself. When it finds a domain, the smtp engine attempts to use the "mx", "smtp", "mail", "mail1", "ns" and "gate" prefixes. The worm searches local folders for files with the "htm", "html", "php", "tbb", "txt" extensions for valid e-mail addresses and sends itself.
The worm does not send mails to any e-mail addresses containing "syma", "icrosof", "msn.", "hotmail", "panda", "sopho", "borlan", "inpris", "example", "mydomai", "nodomai", "mysqlruslis", ".gov", "gov.", ".mil", "foo.", "unix", "math", "bsd", "mit.e", "gnu", "fsf.", "ibm.com", "google", "kernel", "linux", "fido", "usenet", "iana", "ietf", "rfc-ed", "sendmail", "arin.", "ripe.", "isi.e", "isc.o", "secur", "acketst", "pgp", "tanford.e", "utgers.ed", "mozilla".
The messages are chosen from the following:
Subject: "RE: order", attached file "SecUNCE.exe"
Hi. Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;)
Subject: "For you", attached file "AtlantI.exe"
Hi, my darling :) Look at my new screensaver. I hope you will enjoy... Your Liza
Subject: "Hi, Mike", attached file "Agen1.03.exe"
My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.
Subject: "Good offer", attached file "demo.exe"
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Subject: "RE", attached file "release.exe".
Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve
3) It copies itself to network shares, and to the shared folders of file-sharing utilities, as "AVP5.xcrack.exe",
"hx00def.exe", "ICQBomber.exe", "InternetOptimizer1.05b.exe", "Shrek_2.exe", "UnNukeit9xNTICQ04noimageCrk.exe", "YahooDBMails.exe".
4) It rewrites the %system32%driversetchosts file with the following content:
127.0.0.1downloads-eu1.kaspersky-labs.com
127.0.0.1downloads2.kaspersky-labs.com
127.0.0.1downloads4.kaspersky-labs.com
127.0.0.1downloads1.kaspersky-labs.com
127.0.0.1downloads-us1.kaspersky-labs.com
Thus, it disables antivirus database updates for Kaspersky anti-virus.
5) It opens the port 1250, and waits for specific commands to download and execute a specific file.
Version.B contains the same functionality as .A, but drops a copy of Backdoor.Rebbew (a full description of Backdoor.Rebbew is available here.Last update 21 November 2011