The worm, known as Plexus or Explet, uses more tha n one method of infecting PCs, including exploiting a pair of vulnerabilities in Windows.

InformationWeek Staff, Contributor

June 3, 2004

4 Min Read

A new worm that may be double the trouble was spotted in the wild Thursday by several anti-virus vendors. Dubbed Plexus by Moscow-based Kaspersky Labs and Explet.a, by Symantec Corp., the worm uses multiple methods to infect PCs, including exploiting a pair of vulnerabilities in Windows.

"The worm's payload threatens systems worldwide," Kaspersky Labs said in an E-mailed statement.

Although its payload can arrive in the more traditional manner as an executable file attachment to an E-mail message, Plexus/Explet can also infect systems without any human intervention by exploiting 2003's RPC DCOM vulnerability--the one that Blaster used last August--and this year's LSASS vulnerability, the route that Sasser took in late April and early May.

Both vulnerabilities can be exploited by attackers without requiring any user action. Like its Blaster and Sasser predecessors, Plexus/Explet scans for unpatched systems--fixes for both vulnerabilities are available via Microsoft's Windows Update service Web site--and inserts its code unseen.

"The interesting thing about this worm is that it combines multiple vulnerabilities," said Vincent Gullotto, VP of Network Associates' Avert research team. Network Associates has trapped a sample of the worm, but has yet to assign it a name.

"We're only going to see more of this as we go forward," Gullotto said. "Hackers are trying to use multiple opportunities to infect systems, use as many different avenues as possible."

"This is a perfect example of a blended threat," added Brian Dunphy, the director of Symantec's managed securities services group. "It's primarily a mass-mailer from what we've seen so far, but like worms such as Nimda, it exploits multiple vulnerabilities within Windows."

Nimda, a worm that debuted in 2001, exploited multiple vulnerabilities simultaneously, as well as back doors left by the even older Code Red worm. It was "the mother of all proof-of-concept viruses," according to Network Associates' Gullotto. But malicious code that tries to take advantage of more than one vulnerability in Windows is still "relatively uncommon," he added.

Plexus/Explet can arrive as one of five different .exe file attachments in messages using one of five different subject lines, and uses a third method to spread through shared network folders and the Kazaa file-sharing network. When using that tactic, the worm may be tucked into a file named "Shrek_2.exe," an attempt to entice users to open the file thinking it's a digital copy of the popular animated film that opened recently.

The worm also specifically targets Kaspersky Labs' anti-virus software by disabling its automatic update capabilities. "Plexus replaces the contents of a folder in the system registry: until this folder is deleted from infected machines, users will need to download updates manually," warned Alexey Zernov of Kaspersky Labs.

Although Symantec wasn't able to confirm, Kaspersky Labs claimed that its analysis revealed that some of the code in Plexus/Explet is re-used source code from the MyDoom worm of earlier this year.

"But I wouldn't be surprised if that's the case," said Dunphy. "It's very common for viruses to share code these days."

Currently, Plexus/Explet is rated as a "moderate" threat by Kaspersky and a "2" on Symantec's 1-through-5 scale. But because the worm opens a back door via TCP port 1250, then reports back when it infects a system, both security firms are watching the worm closely.

"If it does go wide scale," said Dunphy, "the back door could be used to plant additional code, to essentially upgrade the worm."

Also, Symantec upped its threat level for the Korgo.f worm on Wednesday from a 2 to a 3, citing a dramatic spike in submissions from both corporate and consumer customers.

The Korgo line, which also exploits the LSASS vulnerability within Windows, first appeared last week, when three variations debuted. Since then, four new copycats, including Korgo.f and, the most recent, Korgo.g, have been detected.

"The changes between the variations are very, very subtle," said Symantec's Dunphy.

Although the number of Korgo.f submissions Symantec received began to plateau late Wednesday, it's keeping the threat level at "3" for the time being.

Korgo.g, which first appeared Wednesday, is also on the radar of several anti-virus firms. Symantec rated this version as a 2, but Gullotto of Network Associates said "we're watching this one closely."

The success of worms such as Plexus/Explet and Korgo are additional proof that not everyone is patching vulnerabilities in Microsoft's Windows.

"Clearly, not everyone's patched," said Gullotto. "And with next Tuesday being the scheduled day for Microsoft to release June's [security bulletins], there will undoubtedly be more things that people will have to patch."

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights