This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).MS04-011: Plexus.A worm (email and Internet worm)http://secunia.com/virus_information/9831/plexus/http://www.symantec.com/avcenter/venc/data...email@example.com://vil.nai.com/vil/content/v_126116.htmhttp://www.trendmicro.com/vinfo/virusencyc...e=WORM_PLEXUS.AArticle: Worm Exploits Multiple Windows Vulnerabilitieshttp://www.techweb.com/wire/story/TWB20040603S0007Plexus.A worm - Characteristics
Subject of email: RE: order For you Hi, Mike Good offer. RE:
Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe
Size of attachment: 16,208
Time stamp of attachment: n/a
Ports: TCP 1250, a random TCP port
Shared drives: Copies itself to network shares
Target of infection: Copies itself to KaZaA shared folder Methods of Infection
- Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.
* Uses its own SMTP engine to send itself to the email addresses it finds.
* Spreads through network shares and the Kazaa file-sharing network.
* Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)
* DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445.
* Listens on TCP port 1250 and a random TCP port