Virus Database

Riot multipartite

Description Riot multipartite

These are harmless memory resident multipartite viruses. On execution of infected file they hit MBR of hard drive. On loading from infected disk they hook INT 13h, then they hook INT 21h and write themselves at the end of COM-files are executed. They contain the internal text string:
(c) Metal Militia/Immortal Riot

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Plexus.a

Description I-Worm.Plexus.a

Plexus is an Internet worm which spreads in three different ways: as an email attachment, via file-sharing networks and using the LSASS and RPC DCOM vulnerabilites in MS Windows like Sasser and Lovesan respectively. In addition, Plexus carries a potentially dangerous payload.
Plexus contains rewritten code from Mydoom. It is written in MS Visual C++ and compressed with FSG. The compressed file is 40800 bytes in size while the decompressed file is 88570 bytes in size.
Installation
Upon execution, the worm displays a fake error message, chosen at random from those listed below:
CRC checksum failed.
Pack method not implemented.
Could not initialize installation. File size expected=26523, size returned=26344.
File is corrupted.
Plexus copies itself into the WindowsSystem32 directory as upu.exe. It then installs two files:
a file named setpupex.exe to the WindowsSystem32 directory
a file named svchost.exe to the Windows root directory
Setupex.exe is Backdoor.Dumaru.ai, a backdoor program, which is writtten in Microsoft Visual C++, and compressed using FSG. The compressed file is 21088 bytes in size, and 53772 when uncompressed.
Svchost.exe is the main module of Plexus.a. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16208 bytes in size and 57856 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
Plexus then registers itself in the system registry auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvClipRsv"=[path to the executable file]
Plexus also creates the unique identifier 'expletus' to identify itself in the system, and to prevent more than one copy of the worm being executed on each infected machine.
Propagation
Via LANs and file-sharing networks
Plexus copies itself to shared folders and accessible network resources under the following names:
AVP5.xcrack.exe
hx00def.exe
ICQBomber.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
Via MS Windows vulnerabilities
LSASS vulnerability
Plexus exploits the LSASS vulnerability described in >MS Security Bulletin MS04-011
Microsoft released a patch for this vulnerability on April 13, 2004. The patch is available in the MS Security Bulletin listed above.
RPC DCOM vulnerability
Plexus also exploits the DCOM RPC vulnerability described in MS Security Bulletin MS03-026 just like last year's Lovesan.
The MS patch for this vulnerability is availble in the MS Security Bulletin listed above.
Via infected email attachments
Plexus searches local disks for files with the following extensions:
htm
html
php
tbb
txt
and sends copies of itself to all email addresses found in these files.
The infected email contains one of the following sets of text:
Variant 1
Message header
RE: order
Message body
Hi. Here is the archive with those information, you asked me.
And don't forget, it is strongly confidencial!!! Seya, man. P.S. Don't forget my fee ;)
Attachment name
SecUNCE.exe
Variant 2
Message header
For you
Message body
Hi, my darling :) Look at my new screensaver. I hope you will enjoyall Your Liza
Attachment name
AtlantI.exe
Variant 3
Message header
Hi, Mike
Message body
My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.
Attachment name
Agen1.03.exe
Variant 4
Message header
Good offer
Message body
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Attachment name
demo.exe
Variant 5
Message header
RE:
Message body
Hi, Nick. In this archive you can find all those things, you asked me. See you. Steve
Attachment name
release.exe
Payload
Plexus attempts to prevent Kaspersky Anti- Virus databases from being updated by replacing the contents of the 'hosts' file in WindowsSystem32driversetchosts with the following data:
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
If your machine is infected, you are recommended to delete this file before downloading antivirus database updates.
Trojan functions
Plexus opens and tracks port 1250, making it possible for files to be remotely loaded onto the victim machine and launched.

I-Worm.Plexus.b

Description I-Worm.Plexus.b

I-Worm.Plexus.b spreads via local networks and the Internet as an attachment to infected messages. It also spreads via file-sharing networks, and exploits a vulnerability in MS Windows LSASS. It is very similar to I-Worm.Plexus.a, with a few insignificant differences.
The worm is written in Microsoft Visual C++, and is 69632 bytes in size.
Installation
On launching, Plexus.b copies itself to the WindowsSystem32 folder under the upu.exe. It then installs a file named setupex.exe to the WindowsSystem32 folder, and a file named svchost.exe to the Windows root directory.
Setupex.exe is TrojanProxy.Win32.Webber.h, a Trojan proxy program. The program is writtten in Microsoft Visual C++, and is 47779 bytes in size. svchost.exe is the main module of Plexus.b. It is written in Microsoft Visual C++ and compressed using FSG. The compressed file is 16224 bytes in size and 57857 bytes when decompressed. The text inside this file is encrypted, and contains the line:
"-== KAV I'm Expletus !!!. Made in China. ==-"
The worm registers this file in the system register auto-run key:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
InternetServ=path to executable file
It also creates the mutex Expletus.b, to flag its presence in the system, ensuring that only one copy of the worm can be executed.
Propagation via local and file sharing networks.
The worm copies itself to the file-sharing folder and to all accessible network resources under the following names:
AVP5.xcrack.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
ICQ04noimageCrk.exe
UnNukeit9xNT.exe
YahooDBMails.exe
hx00def.exe
ICQBomber.exe
The worm is otherwise identical to I-Worm.Plexus.a

Home