Countries
Africa
Americas
Asia
Europe
Other

Computer
Computer
Downloads
Flightsimulator
Games
Memory
Monitors
Motherboards
Notebooks
Pda
Printers
Processors
Scanners
Security
Software
Toner

Finance
Commodities
Day trading
Debt
Ecommerce
Insurance
Loans
Mortgage
Offshore bank
Venture capital

Hotelguide
Amsterdam
Antwerp
Athens
Barcelona
Berlin
Bern
Budapest
Copenhagen
Frankfurt
Helsinki
Istanbul
London
Los Angeles
Madrid
Miami
Milan
Monaco
Nice
Rome
San Diego
San Francisco
More...

Travel
Airlines
Airports
Cruises
Hotels
Restaurants
Scuba diving

Travel dest.
Asia
Africa
Caribbean
Central America
Europe
Middle East
North America
South America
Oceania

Various
Dating
Diets
Digital camera
Divx movies
Education
Fishing
Fonts
Health
Jobs
Kids
Movies
Real estate
Shopping
Skiing
Sports
Supplements
Telecom
Translators

Webmaster
Domain names
Ecommerce
Free resources
Shoppingcarts
Webdesign
Webhosting

zzz

More topics.....

Kaspersky Labs users directly threatened by new worm

Kaspersky Labs has detected a potentially dangerous new Internet worm. Plexus.a spreads using three different methods: infected email attachments, file-sharing networks and via the LSASS and RPC DCOM vulnerabilities in MS Windows. A detailed analysis of the code confirms that the virus author used Mydoom source code as a foundation. The worm's payload includes attempts to prevent downloads of KasperskyR Anti-Virus database updates.

Plexus.a uses a standard set of infection vectors. The worm masquerades as various distributives for popular applications and penetrates via LANs and file-sharing networks. A significant number of infections have occurred via well known MS Windows vulnerabilities: the LSASS breach used by Sasser and the RPC DCOM hole exploited by Lovesan. Lovesan struck in August 2003, but Plexus.a has detected and infected large numbers of machines where this vulnerability is still unpatched.

Plexus chooses from 5 email messages to baffle users. Each message has a different header, body and attachment name. The only characteristic which does not change is the file size: 16208 bytes when compressed with FSG and 57856 when uncompressed.

Upon execution Plexus.a copies itself to the Windows system registry under the name upu.exe. To ensure the worm activates every time the machine is re-booted, Plexus.a registers upu.exe as an autorun key in the system registry. The worm creates the identifier 'Expletus' in the system, meaning that only one copy of the worm will execute on the infected machine. Finally, Plexus sends copies of itself to all email addresses it has harvested from local disks.

Plexus carries a double payload. Firstly, the worm threatens all systems running Kaspersky Anti-Virus by attempting to prevent automatic antivirus database updates. Plexus replaces the contents of a folder in the system registry: until this folder is deleted from infected machines, users will need to download updates manually.

However, the worm's second payload threatens systems worldwide. The worm opens and tracks port 1250, making it possible for files to be remotely uploaded to and from the victim machine. The open port leaves the victim machine vulnerable to further attacks.

Kaspersky Labs has released an urgent update to the antivirus databases. If you suspect that your machine is have been infected you can download the update manually via the Internet. A detailed description of Plexus.a is available in the Kaspersky Virus Encyclopedia
http://www.viruslist.com/eng/viruslist.html?id=1618235

Kaspersky Labs Corporate Communications
10, Geroyev Panfilovtsev St, Moscow, 125363, Russia
Tel.: +7 095 780 33 69; Fax: +7 095 948 43 31
E-mail: info@kaspersky.com; http://www.kaspersky.com;

• Add url to Bizeurope
• Upgrade to professional member
• Country database
• Return to Bizeurope keywords
• Bizeurope company directory
• Sitemap