Se controlará desde DATS 4365, si bien al funal ofrecemos script para generar EXTRA.DAT con el que, añadiendolo a la carpeta de los DATS de McAfee, ya se controla dicho virus.
Además, para su eliminacion hoy subiremos a esta web las nuevas versiones del ELILSA.EXE y del ELIRPCA.EXE a las que hemos implementado la eliminacion independiente de este virus, además de los que ya controlaban antes.
descripcion de McAfee
:__________________________________________
Virus Name Risk Assessment
W32/Plexus@MM Corporate User : Low-Profiled
Home User : Low-Profiled
Virus Information
Discovery Date: 06/03/2004
Origin: Unknown
Length: 16,208 bytes (FSG packed)
Type: Virus
SubType: Internet Worm
Minimum DAT: 4365 (06/09/2004)
Updated DAT: 4365 (06/09/2004)
Minimum Engine: 4.2.40
Description Added: 06/03/2004
Description Modified: 06/03/2004 12:39 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
-- Update June 3rd, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This worm propagates via the following vectors:
by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533) 'LSASS']
by making use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
by mailing itself to email addresses harvested from the victim machine (spoofing the From: address)
by copying itself over the network
To prevent propagation by the first method, users should install the Microsoft update for the exploit this worm uses. See the following URL for more information:
Mail Propagation
The virus contains its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files on local and mapped drives on the victim machine. Files with the following extensions are trawled:
htm
html
php
tbb
txt
The From: address of sent messages is spoofed (it may use strings it carries, or email addresses it extracts from the victim machine).
The virus specifically excludes certain email addresses from its target list. It will not mail itself to addresses containing one many strings it carries in its body.
Outgoing messages bear the following characteristics:
Subject: One of the following subject lines is used:
RE: order
Good offer.
For you
RE:
Hi, Mike
Attachment: The file attachment will have one of the following filenames:
SecUNCE.exe
AtlantI.exe
AGen1.03.exe
demo.exe
release.exe
Message Body: May be one of the following:
Greets! I offer you full base of accounts with passwords of mail server yahoo.com. Here is archive with small part of it. You can see that all information is real. If you want to buy full base, please reply me...
Hi, my darling
Look at my new screensaver. I hope you will enjoy...
Your Liza
Hi.
Here is the archive with those information, you asked me.
And don't forget it is strongly confidential!!!
Seya, man.
P.S. Don't forget my fee
My friend gave me this account generator for
And please do not distribute it. It's private.
Hi, Nick. In this archive you can find all those things, you asked me.
See you, Steve.
Share Propagation
The virus copies itself to available network resources and the KaZaa shared folder using the following filenames:
AVP5.xcrack.exe
ICQBomber.exe
hx00def.exe
InternetOptimizer1.05b.exe
Shrek_2.exe
UnNukeit9xNTICQ04noimageCrk.exe
YahooDBMails.exe
Symptoms
The virus overwrites the local hosts file in an attempt to thwart the updating of a specific antivirus product. Overwritten hosts files will be detected as W32/Plexus@MM!hosts with the specified DATs.
Installation
The virus installs itself as UPU.EXE in the system directory on the victim machine, for example:
C:\WINNT\SYSTEM32\UPU.EXE
A Registry key to run the virus a system startup is also set:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "NvClipRsv" = C:\WINNT\SYSTEM32\UPU.EXE
The virus opens port 1250 (TCP) on the victim machine, and other random ports as well.
A side-effect of the MS04-011 propagation characteristics of the worm is that LSASS.EXE crashing on the targetted machine. By default such systems will reboot after the crash occurs. The following Window may be displayed:
Method Of Infection
This worm spreads via mass-mailing itself, two high-profile Windows exploits, network shares and KaZaa P2P networks.
__________________________________________
Para su control, añadimos a continuacion el script del EXTRA.DAT facilitado por McAfee para seleccionarlo, copiar y pegar con el bloc de notas y guardarlo como EXTRA.DAT, el cual añadir a la carpeta de DATS del antivirus de McAfee:
__________________________________________
119 178 136 180 77 51 192 133 158 52 141 243 13 51 141 254
87 232 140 190 241 55 29 163 13 51 85 183 13 51 137 179
214 50 151 143 168 55 125 157 68 47 40 182 253 29 196 149
108 64 54 182 88 89 233 48 242 213 143 76 13 250 157 126
2 60 130 188 192 60 130 188 2 254 130 188 2 60 192 244
196 35 192 188 2 60 130 126 2 60 130 188 192 60 130 188
2 126 249 48 15 56 141 206 214 50 128 104 12 41 128 49
8 51 114 76 12 51 153 180
8262 256 12504 336 M6
119 178 157 179 77 51 218 128 63 28 221 223 104 75 248 192
77 126 192 32 10 59 205 179 13 51 231 76 158 52 138 243
13 51 141 13 169 204 140 199 142 49 141 182 232 60 184 23
130 51 37 80 14 183 143 135 0 164 144 24 1 233 140 190
184 19 114 178 9 51 142 196 111 51 135 150 107 111 210 219
110 29 255 216 127 54 192 242 95 113 140 181 64 118 194 228
229 54 128 49 8 51 185 167 242 50 15 182 13 153 239 76
12 39 64 177 10 51 195 180
8693 256 12504 336 W32/Plexus@MM
__________________________________________
Para la eliminacion de este virus puede utilizar cualquiera de las dos utilidades ELIRPCA.EXE o ELILSA.EXE, recomendando actualizar los parches de microsoft conectando al windowsupdate, pues puede haber entrado por falta de MS04-011 o del MS04-012, aparte de haber podido ejecutarse el fichero anexado al mail o de infectarse por comparticiones P2P.
saludos
ms, 4-06-2004
msc hotline sat Virus Research Engineer