A Win32/Plexus variant may perform actions such as the following:
- Display a message box containing a purported error message, such as one of the following:
"File is corrupted."
"Could not initialize installation. File size expected=26523, size returned=26344."
"Pack method not implemented."
"CRC checksum failed."
- Create a copy of itself in the Windows system folder.
- Drop a child program at <Windows folder>\svchost.exe. Microsoft detects this file as Win32/Plexus also. The parent process runs <Windows folder>\svchost.exe and then exits.
- Create a registry value containing data: <Windows folder>\svchost.exe
in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This registry modification causes the worm to run automatically each time Windows starts.
- Create a registry entry to cause the variant to run automatically each time Windows starts.
- Copy itself to the Kazaa shared directory if Kazaa is installed, and to shared folders on the local file system if the computer is running a Windows-NT based system such as Windows 2000 or Windows XP.
- Overwrite the Windows hosts file to prevent access to certain Kaspersky download sites.
- Send a copy of itself as an e-mail attachment to e-mail addresses that it finds on the infected computer.
- Open an FTP server on a randomly-selected port.
- Spread to computers that have not been patched for the Windows vulnerabilities described in Microsoft Security Bulletins MS03-039 and MS04-011. From the remote computer, the worm can then download and run a copy of Win32/Plexus from the FTP server on the local computer.
- Download and run a file. This opens a backdoor to allow attackers to run additional arbitrary code on the infected computer.
Symptoms of the presence of Win32/Plexus may vary according to the particular variant.
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unknown attachments.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with unknown attachments
Use caution before opening e-mail or IM attachments, even if you know the sender. If you do not know if the specified sender is the actual sender or you suspect that an attachment is not safe, delete the message immediately and run up-to-date antivirus software to check your computer for malicious software.
Remove unneeded network shares
Malicious software can often spread over network shares. Remove unneeded network shares that are mapped to your computer.
To remove network shares in Windows XP
On the Start menu, click My Computer.
On the Tools menu, click Disconnect Network Drives…
In the Disconnect Network Drives dialog box, click the drives to disconnect and click OK.