Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


MS04-011: Plexus.A worm (email and Internet worm)

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:49 PM

Posted 03 June 2004 - 03:35 PM

This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).

MS04-011: Plexus.A worm (email and Internet worm)

Article: Worm Exploits Multiple Windows Vulnerabilities

Plexus.A worm - Characteristics

Subject of email: RE: order For you Hi, Mike Good offer. RE:
Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe
Size of attachment: 16,208
Time stamp of attachment: n/a
Ports: TCP 1250, a random TCP port
Shared drives: Copies itself to network shares
Target of infection: Copies itself to KaZaA shared folder

Methods of Infection - Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.

* Uses its own SMTP engine to send itself to the email addresses it finds.
* Spreads through network shares and the Kazaa file-sharing network.
* Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)
* DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445.
* Listens on TCP port 1250 and a random TCP port

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users