I-Worm.Plexus.b
Description I-Worm.Plexus.b
I-Worm.Plexus.b spreads via local networks and the Internet as an attachment to infected messages. It also spreads via file-sharing networks, and exploits a vulnerability in MS Windows LSASS. It is very similar to I-Worm.Plexus.a, with a few insignificant differences.
The worm is written in Microsoft Visual C++, and is 69632 bytes in size.
Installation
On launching, Plexus.b copies itself to the WindowsSystem32 folder under the upu.exe. It then installs a file named setupex.exe to the WindowsSystem32 folder, and a file named svchost.exe to the Windows root directory.
Setupex.exe is TrojanProxy.Win32.Webber.h, a Trojan proxy program. The program is writtten in Microsoft Visual C++, and is 47779 bytes in size. svchost.exe is the main module of Plexus.b. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16224 bytes in size and 57857 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
The worm registers this file in the system register auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
InternetServ=path to executable file
It also creates the mutex Expletus.b, to flag its presence in the system, ensuring that only one copy of the worm can be executed.
Propagation via local and file sharing networks.
The worm copies itself to the file-sharing folder and to all accessible network resources under the following names:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
ICQ04noimageCrk.exe
UnNukeit9xNT.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm is otherwise identical to I-Worm.Plexus.a
Check other viruses! Be aware! Use Antiviral Software
James.516
Description James.516
It is a harmless memory resident parasitic virus. It copies itself to the Interrupt Vectors Table, hooks INT 21h and writes itself to the end of .COM files that are executed, opened or renamed. This virus contains the text:
James Bond is Alive!
Janka.1336
Description Janka.1336
It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus does not infect files that contain substrings in names:
WEB, AVP, EST, AND
On 24th in any month the virus destroys data on the first hard drive.
The virus contains the text string:
[Janka [1.05D], 1998]
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
InteriÖr-montage KÖk & Bad Halmstad
Bellissima Byggkonsult
GrÖna Badrum Ab
Golvimporten B. Johnsson Aktiebolag
PatrongÅrden I Boda Handelsbolag
|