My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Plexus.A/B

MEDIUM
MEDIUM
16.208 bytes (FSG packed), ~60K unpacked (version A)
(I-Worm.Plexus.A (Kaspersky AV), Win32.HLLW.Expletus.45056)

Symptoms

1. The presence of the "upu.exe" file, in the %system32% folder.

2. The [HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run] registry key contains the
entry "NvClipRsv", which contains the path to the originally executed file (e.g. C:\1\a.exe).

3) Port 1250 is open.

Removal instructions:

Let BitDefender delete the infected files. The %system32%\drivers\etc\hosts file should be replaced by a backup.

Analyzed By

BitDefender Antivirus Research Team

Technical Description:

Plexus uses several ways for spreading.

1) It contains network-spreading code, via the RPC-DCOM (Security Bulletin MS03-026) and LSASS (Security Bulletin MS04-011) vulnerabilities.

2) It contains an internal smtp engine to mass-mail intself. When it finds a domain, the smtp engine attempts to use the "mx", "smtp", "mail", "mail1", "ns" and "gate" prefixes. The worm searches local folders for files with the "htm", "html", "php", "tbb", "txt" extensions for valid e-mail addresses and sends itself.

The worm does not send mails to any e-mail addresses containing "syma", "icrosof", "msn.", "hotmail", "panda", "sopho", "borlan", "inpris", "example", "mydomai", "nodomai", "mysqlruslis", ".gov", "gov.", ".mil", "foo.", "unix", "math", "bsd", "mit.e", "gnu", "fsf.", "ibm.com", "google", "kernel", "linux", "fido", "usenet", "iana", "ietf", "rfc-ed", "sendmail", "arin.", "ripe.", "isi.e", "isc.o", "secur", "acketst", "pgp", "tanford.e", "utgers.ed", "mozilla".

The messages are chosen from the following:

Subject: "RE: order", attached file "SecUNCE.exe"

Hi. Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;)

Subject: "For you", attached file "AtlantI.exe"

Hi, my darling :) Look at my new screensaver. I hope you will enjoy... Your Liza

Subject: "Hi, Mike", attached file "Agen1.03.exe"

My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.

Subject: "Good offer", attached file "demo.exe"

Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...

Subject: "RE", attached file "release.exe".

Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve

3) It copies itself to network shares, and to the shared folders of file-sharing utilities, as "AVP5.xcrack.exe",
"hx00def.exe", "ICQBomber.exe", "InternetOptimizer1.05b.exe", "Shrek_2.exe", "UnNukeit9xNTICQ04noimageCrk.exe", "YahooDBMails.exe".

4) It rewrites the %system32%\drivers\etc\hosts file with the following content:

127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com

Thus, it disables antivirus database updates for Kaspersky anti-virus.

5) It opens the port 1250, and waits for specific commands to download and execute a specific file.


Version.B contains the same functionality as .A, but drops a copy of Backdoor.Rebbew (a full description of Backdoor.Rebbew is available here.