The rebirth of Mydoom - new worm uses Mydoom code to create a blended threat

03 Jun 2004
Virus News

Kaspersky Lab has detected a potentially dangerous new Internet worm. Plexus.a spreads using three different methods: infected email attachments, file-sharing networks and via the LSASS and RPC DCOM vulnerabilities in MS Windows. A detailed analysis of the code confirms that the virus author used Mydoom source code as a foundation. The worm's payload includes attempts to prevent downloads of Kaspersky® Anti-Virus database updates.

Plexus.a uses a standard set of infection vectors. The worm masquerades as various distributives for popular applications and penetrates via LANs and file-sharing networks. A significant number of infections have occurred via well known MS Windows vulnerabilities: the LSASS breach used by Sasser and the RPC DCOM hole exploited by Lovesan. Lovesan struck in August 2003, but Plexus.a has detected and infected large numbers of machines where this vulnerability is still unpatched.

Plexus chooses from 5 email messages to baffle users. Each message has a different header, body and attachment name. The only characteristic which does not change is the file size: 16208 bytes when compressed with FSG and 57856 when uncompressed.

Upon execution Plexus.a copies itself to the Windows system registry under the name upu.exe. To ensure the worm activates every time the machine is re-booted, Plexus.a registers upu.exe as an autorun key in the system registry. The worm creates the identifier 'Expletus' in the system, meaning that only one copy of the worm will execute on the infected machine. Finally, Plexus sends copies of itself to all email addresses it has harvested from local disks.

Plexus.a carries a double payload. Firstly, the worm threatens all systems running Kaspersky Anti-Virus by attempting to prevent automatic antivirus database updates. Plexus.a replaces the contents of a folder in the system registry: until this folder is deleted from infected machines, users will need to download updates manually.

However, the worm's second payload threatens systems worldwide. The worm opens and tracks port 1250, making it possible for files to be remotely uploaded to and from the victim machine. The open port leaves the victim machine vulnerable to further attacks.

Kaspersky Lab has released an urgent update to the antivirus databases. If you suspect that your machine is have been infected you can download the update manually via the Internet.

A detailed description of Plexus.a is available in the Kaspersky Virus Encyclopedia.

Patches for the MS Windows vulnerabilities are available from Microsoft: