W32/Plexus-B

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Download and install the Microsoft patches mentioned above.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvClipRsv

and delete it if it exists.

Close the registry editor.

W32/Plexus-B is a complex worm with backdoor functionality that spreads by email, network shares, KaZaa network shares and exploiting LSASS buffer
overflow and DCOM RPC vulnerabilities.

For more information about these vulnerabilities see MS040-011 and MS03-026.

The dropper copies itself to the filename UPU.EXE and SUPU.EXE in the
Windows system folder. The dropper also drops the files SETUPEX.EXE to the Windows system folder and SVCHOST.EXE to the Windows folder, running them both.

SETUPEX.EXE is already detected by Sophos Anti-Virus as a component of
W32/Dumaru-AK.

The dropper may display one of the following fake error messages:

'CRC checksum failed.'
'Pace method not implemented.'
'Could not initialize installation. File size expected=26523, size
returned=26344'
'File is corrupted.'

The SVCHOST.EXE file dropped by the dropper is an email and network share
worm which also spreads by exploting RPC and LSASS vulnerabilities.

The email sent by the worm has characteristics chosen from the following lists.

Subject line :
'RE: order'
'For you'
'Hi, Mike'
'Good offer.'
'RE:'

Message text :

'Hi.
Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!!
Seya, man.
P.S. Don't forget my fee ;)'

'Hi, my darling :)
Look at my new screensaver. I hope you will enjoy...
Your Liza'

'My friend gave me this account generator for http://www.pantyola.com I wanna
share it with you :)
And please do not distribute it. It's private.'

'Greets! I offer you full base of accounts with passwords of mail server
yahoo.com. Here is archive with small part of it . You can see that all
information is real. If you want to b uy full base, please reply me...'

'Hi, Nick. In this archive you can find all those things, you asked me.
See you. Steve'

Attached file:

release.exe
demo.exe
AGen1.03.exe
AtlantI.exe
SecUNCE.exe

The worm copies itself into the KaZaA transfer folder and available shared
folders with the following filenames:

AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe

The worm adds the following registry entry so that it is run each time Windows
starts

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvClipRsv

The worm sends the W32/Plexus-A dropper to the emails addresses
harvested from the PHP, TXT, TBB, HTML and HTM files.

The email 'from' address is spoofed.
The worm may choose the 'from' address from a predetermined list,
the email addresses it finds locally, or a randomly generated the email address.

As a part of payload W32/Plexus-A replace the hosts file with the one
that contains following:

127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com

The worm listens on port 1250 for incoming connections which may contain
updated copies of the worm or other files to install on the infected computer.