WORM_PLEXUS.C

[Randy_Bell]

WORM_PLEXUS.C is a recently discovered worm that uses its own SMTP engine to send copies of itself via email. Emails appear with subject headers like: "Order" or "Good Offer". Messages appear to be from a familiar person.

Examples of messages:
"Look at my new screensaver. I hope you will enjoy"
"In this archive you can find all those things, you asked me"

The message comes with an .EXE attachment. Once executed, WORM_PLEXUS.C drops several copies of itself onto the infected system and creates Windows registry entries to automatically execute at each system startup.

To propagate, WORM_PLEXUS.C looks for files with the following extension names to retrieve email addresses and domain names: HTM, HTML, PHP, TBB, TXT. This worm can also drop copies of itself in the Kazaa (peer-to-peer network) shared folder, and propagate through network shares with full access rights.

This worm's code also contains the following text:
"KAV I'm Expletus !!!, Made in China"

This worm is currently in-the-wild and affects Windows 95, 98, ME, NT, 2000, and XP operating systems.

If you would like to scan your computer for WORM_PLEXUS.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_PLEXUS.C is detected and cleaned by Trend Micro pattern file #902 and above.