new MS04-011: Plexus.A worm (email and Internet worm)

Discussion in 'malware problems & news' started by the mul, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,704
    Location:
    scotland
    This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).


    MS04-011: Plexus.A worm (email and Internet worm)
    http://secunia.com/virus_information/9831/plexus/
    http://www.symantec.com/avcenter/venc/data...xplet.a@mm.html
    http://vil.nai.com/vil/content/v_126116.htm
    http://www.trendmicro.com/vinfo/virusencyc...e=WORM_PLEXUS.A

    Article: Worm Exploits Multiple Windows Vulnerabilities
    http://www.techweb.com/wire/story/TWB20040603S0007


    Plexus.A worm - Characteristics

    Subject of email: RE: order For you Hi, Mike Good offer. RE:
    Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe
    Size of attachment: 16,208
    Time stamp of attachment: n/a
    Ports: TCP 1250, a random TCP port
    Shared drives: Copies itself to network shares
    Target of infection: Copies itself to KaZaA shared folder


    Methods of Infection - Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.

    * Uses its own SMTP engine to send itself to the email addresses it finds.
    * Spreads through network shares and the Kazaa file-sharing network.
    * Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)
    * DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445.
    * Listens on TCP port 1250 and a random TCP port


    The Mul
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.