Plexus is a highly regarded, highly contagious computer virus that can infect three paths: e-mail, file-sharing networks, and LSASS and RPC DCOM vulnerabilities (in Microsoft Windows). Plexus contains rewritten Mydoom code in MS Visual C ++, the main text is encoded.
Nickname: W32.Explet.A@mm
Date appeared: 3/6/2004
Describe:
After entering the system, Plexus will duplicate itself into the WindowsSystems 32 directory with the name upu.exe . and to be able to automatically run when the system boots, worms will generate a value in the registry key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvClipRsv" = [path to the executable file of the virus]
Plexus also created a unique identifier named ' expletus 'to confirm the existence of yourself in the system.
Infection:
Over the LAN and file sharing networks
Plexus replicates itself to shared directories and shared network resources accessible under the following names:
AVP5.xcrack.exe
hx00def.exe
ICQBomber.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
Via vulnerabilities in Microsoft Windows
LSASS vulnerability
Plexus exploits the LSASS vulnerability in Windows (see the Digital Security Newsletter for details)
MS04-011 of Microsoft)
RPC DCOM vulnerability
Plexus also exploited the DCOM RPC vulnerability in similar ways to the Lovesan virus last year (refer to the Digital Security Bulletin for more details).
MS03-026 of Microsoft)
Via attachments by e-mail
Plexus searches the victim machine for the files with the following extensions to spread to the addresses:
htm
html
php
tbb
E-mail virus infections can be one of the following:
Variation 1
Title:
RE: order
Message:
Hi. Here is the archive with those information, you asked me.
And do not forget, it is strongly confidencial !!! Seya, man. P.S. Do not forget my fee;)
Attachments
SecUNCE.exe
Version 2
Title
For you
Hymns
Hi, my darling smile_image Look at my new screensaver. I hope you will enjoy ...
Your Liza
Attachments
AtlantI.exe
Version 3
Title
Hi, Mike
Content:
My friend gave me this generator account for
http://www.pantyola.com
I wanna share it with you smile_image
And please do not distribute it. It's private.
Attachments:
Agen1.03.exe
Version 4
Title
Good offer
Content:
Greets! I offer you the full base of accounts with passwords of mail server
yahoo.com. Đây là khoác với kích cỡ của nó. Bạn có thể xem tất cả
thông tin là real. If you want to buy a full base, please reply me ...
Attachments:
demo.exe
Version 5
Title:
Content:
Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attachments
release.exe
Trojan functionality
Plexus opens port 1250 to allow the author of the virus to load and execute files on the victim machine.