new MS04-011: Plexus.A worm (email and Internet worm)

Discussion in 'malware problems & news' started by the mul, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Jul 31, 2003
    This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).

    MS04-011: Plexus.A worm (email and Internet worm)

    Article: Worm Exploits Multiple Windows Vulnerabilities

    Plexus.A worm - Characteristics

    Subject of email: RE: order For you Hi, Mike Good offer. RE:
    Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe
    Size of attachment: 16,208
    Time stamp of attachment: n/a
    Ports: TCP 1250, a random TCP port
    Shared drives: Copies itself to network shares
    Target of infection: Copies itself to KaZaA shared folder

    Methods of Infection - Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.

    * Uses its own SMTP engine to send itself to the email addresses it finds.
    * Spreads through network shares and the Kazaa file-sharing network.
    * Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)
    * DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445.
    * Listens on TCP port 1250 and a random TCP port

    The Mul
Thread Status:
Not open for further replies.