The Web    Google
Look Out For 3-Headed Plexus Worm

Look Out For 3-Headed Plexus Worm
June 4, 2004
Ryan NaraineBy

A three-headed worm with a potentially dangerous payload has started spreading rapidly, prompting a warning from security experts that a malicious attacker could load and launch files on infected machines.

Russian anti-virus experts Kaspersky Labs has intercepted the Plexus.A worm infecting machines in three ways simultaneously: via e-mail attachments, on peer-to-peer networks and through the Local Security Authority Subsystem Service (LSASS) vulnerability that was patched by Microsoft (Quote, Chart) in its April batch of security updates.

The appearance of yet another worm exploiting the LSASS flaw is a clear indication that PC users have been tardy about applying the MS04-011 security fix issued by Microsoft on April 13. An advisory from Kapersky Labs said the worm is also capable of exploiting the RPC DCOM vulnerabilities used by Sasser and Lovesan respectively.

"Plexus opens and tracks port 1250 allowing the virus writer to load and launch files on the infected machines," the company said.

Analysis of the worm turned up rewritten code from the MyDoom mass-mailing virus that squirmed through e-mail networks earlier this year.

By leaving a backdoor open, the virus writers can potentially commandeer millions of zombie machines to send spam or to launch denial-of-service attacks .

Kapersky Labs said Plexus.A, which carries a "moderate risk" rating, copies itself to the Windows/Systems 32 directory as upu.exe and then registers a file in the system registry auto-run key to propagate via Local Area Networks (LANs) and file-sharing networks.

The worm copies itself to shared folders and accessible network resources under filenames with .EXE extensions and then exploits two known Microsoft Windows security vulnerabilities to spread.

  • House to Create Homeland Security Oversight Committee
  • Simplify File Recovery with Volume Shadow Copy Service
  • 2/25: Kelvir-A an Instant Messaging Worm
  • 10/29: Singu-B Allows Remote Access
  • The Sober Virus Returns
  • Simplifying SCM with Appliances
  • 8/23: MhtRedir-S Trojan Exploits Flaw
  • 6/28: Agobot-KE Exploits Weak Passwords
  • New Alliance Opposes Anti-Piracy Mandates
  • 3/18: Agent.E Trojan Acts as HTTP Proxy
  • 2/3: Rbot-VD a Worm and a Trojan
  • Security Camera News