| |
Descrizione: |
Worm/Plexus.A is an Internet worm that spreads through e-mail by using addresses it collects from files it searches on all the drives. The worm also spreads using the known Microsoft vulnerabilities MS04-011 (CAN-2003-0533) 'LSASS' (Local Security Authority Subsystem Service) and MS03-026. This vulnerability allows for complete control of an affected system and allows someone with malicious intent to execute code of their choice on the compromised system.
This worm affects users running Windows 2000 and Windows XP. The Windows patch can be installed from the following location:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm arrives through e-mail in one of the following formats:
Subject: RE: order
Body:
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)
Attachment: SecUNCE.exe
or
Subject: For you
Body: Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza
Attachment: AtlantI.exe
or
Subject: Hi, Mike
Body:
My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :)
And please do not distribute it. It's private.
Attachment: AGen1.03.exe
or
Subject: Good offer.
Body:
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Attachment: demo.exe
or
Subject: RE:
Body:
Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve
Attachment: release.exe
If executed, the worm will copies itself in the following locations:
- C:\%WinDir%\%SystemDir%\upu.exe
- %ShareDir%\ICQBomber.exe
- %ShareDir%\hx00def.exe
- %ShareDir%\YahooDBMails.exe
- %ShareDir%\UnNukeit9xNTICQ04noimageCrk.exe
- %ShareDir%\Shrek_2.exe
- %ShareDir%\InternetOptimizer1.05b.exe
- %ShareDir%\AVP5.xcrack.exe
So that it gets run each time a user restart their computer the following registry key gets added:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NvClipRsv" = "%SystemDIR%\upu.exe"
Worm/Plexus.A will then attempt to prevent users of Kaspersky antivirus software products from downloading updates from the company's servers. The backdoor component will open the port 1250 allowing an attacker to upload additional components to the system. |
