new MS04-011: Plexus.A worm (email and Internet worm)

Discussion in 'malware problems & news' started by the mul, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Jul 31, 2003
    This new worm attempts to spread in a number of different ways. It can spread by email, open email shares, or unpatched Microsoft security vulnerabilities (MS03-026 and MS04-011).

    MS04-011: Plexus.A worm (email and Internet worm)

    Article: Worm Exploits Multiple Windows Vulnerabilities

    Plexus.A worm - Characteristics

    Subject of email: RE: order For you Hi, Mike Good offer. RE:
    Name of attachment: SecUNCE.exe AtlantI.exe AGen1.03.exe demo.exe release.exe
    Size of attachment: 16,208
    Time stamp of attachment: n/a
    Ports: TCP 1250, a random TCP port
    Shared drives: Copies itself to network shares
    Target of infection: Copies itself to KaZaA shared folder

    Methods of Infection - Retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y.

    * Uses its own SMTP engine to send itself to the email addresses it finds.
    * Spreads through network shares and the Kazaa file-sharing network.
    * Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS04-011)
    * DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) through TCP ports 135 and 445.
    * Listens on TCP port 1250 and a random TCP port

    The Mul
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.