Look Out For 3-Headed Plexus Worm

A three-headed worm with a potentially dangerous payload has started spreading rapidly, prompting a warning from security experts that a malicious attacker could load and launch files on infected machines.

Russian anti-virus experts Kaspersky Labs has intercepted the Plexus.A worm infecting machines in three ways simultaneously: via e-mail attachments, on peer-to-peer networks and through the Local Security Authority Subsystem Service (LSASS) vulnerability that was patched by Microsoft in its April batch of security updates.

The appearance of yet another worm exploiting the LSASS flaw is a clear indication that PC users have been tardy about applying the MS04-011 security fix issued by Microsoft on April 13. An advisory from Kapersky Labs said the worm is also capable of exploiting the RPC DCOM vulnerabilities used by Sasser and Lovesan respectively.

“Plexus opens and tracks port 1250 allowing the virus writer to load and launch files on the infected machines,” the company said.

Analysis of the worm turned up rewritten code from the MyDoom mass-mailing
virus that squirmed through e-mail networks earlier this year.

By leaving a backdoor open, the virus writers can potentially commandeer
millions of zombie machines to send spam or to launch denial-of-service
attacks .

Kapersky Labs said Plexus.A, which carries a “moderate risk” rating,
copies itself to the Windows/Systems 32 directory as upu.exe and then
registers a file in the system registry auto-run key to propagate via Local
Area Networks (LANs) and file-sharing networks.

The worm copies itself to shared folders and accessible network resources
under filenames with .EXE extensions and then exploits two known Microsoft
Windows security vulnerabilities to spread.