Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS
and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively.
In addition, Plexus carries a potentially dangerous payload.
Upon execution, the worm displays a fake error message, chosen at random from predefined list:
- CRC checksum failed.
- Pack method not implemented.
- Could not initialize installation. File size expected=26523, size returned=26344.
- File is corrupted.
Plexus copies itself into the Windows\System32 directory as upu.exe.
It then installs two files:
- a file named setpupex.exe to the Windows\System32 directory
- a file named svchost.exe to the Windows root directory - the main module of Plexus.a.
Plexus copies itself to shared folders and accessible network resources under different names.
Plexus exploits the LSASS vulnerability described in >MS Security Bulletin MS04-011
Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.
Plexus searches local disks for files with the following extensions: htm; html; php; tbb; txt
and sends copies of itself to all email addresses found in these files.
Plexus attempts to prevent Kaspersky Anti-Virus databases from being updated by replacing the contents of the 'hosts' file in
Windows\System32\drivers\etc\hosts with the following data:
Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched
Remove it from startup by antivirus (also check How To Remove section)Startup Optimizer.
Still have a problem? Ask for help at our discussion forum.