Win32/Plexus is a mass-mailing e-mail worm that targets Microsoft Windows. The worm also spreads through Kazaa peer-to-peer network shares and to computers that have not been patched for the Windows vulnerabilities described in Microsoft Security Bulletins MS03-039 and MS04-011. Win32/Plexus opens a backdoor which allows attackers to run arbitrary code on the infected computer.

Threat behavior

A Win32/Plexus variant may perform actions such as the following:
  • Display a message box containing a purported error message, such as one of the following:
    "File is corrupted."
    "Could not initialize installation. File size expected=26523, size returned=26344."
    "Pack method not implemented."
    "CRC checksum failed."
  • Create a copy of itself in the Windows system folder.
  • Drop a child program at <Windows folder>\svchost.exe. Microsoft detects this file as Win32/Plexus also. The parent process runs <Windows folder>\svchost.exe and then exits.
  • Create a registry value containing data:  <Windows folder>\svchost.exe
    in registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    This registry modification causes the worm to run automatically each time Windows starts.
  • Create a registry entry to cause the variant to run automatically each time Windows starts.
  • Copy itself to the Kazaa shared directory if Kazaa is installed, and to shared folders on the local file system if the computer is running a Windows-NT based system such as Windows 2000 or Windows XP. 
  • Overwrite the Windows hosts file to prevent access to certain Kaspersky download sites.
  • Send a copy of itself as an e-mail attachment to e-mail addresses that it finds on the infected computer.
  • Open an FTP server on a randomly-selected port.
  • Spread to computers that have not been patched for the Windows vulnerabilities described in Microsoft Security Bulletins MS03-039 and MS04-011. From the remote computer, the worm can then download and run a copy of Win32/Plexus from the FTP server on the local computer.
  • Download and run a file. This opens a backdoor to allow attackers to run additional arbitrary code on the infected computer.


Symptoms of the presence of Win32/Plexus may vary according to the particular variant.


Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with unknown attachments.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Highlight a connection that you want to help protect, and click Change settings of this connection.
  4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates, and select Keep my computer up to date.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see

Use caution with unknown attachments

Use caution before opening e-mail or IM attachments, even if you know the sender. If you do not know if the specified sender is the actual sender or you suspect that an attachment is not safe, delete the message immediately and run up-to-date antivirus software to check your computer for malicious software.

Remove unneeded network shares

Malicious software can often spread over network shares. Remove unneeded network shares that are mapped to your computer.
To remove network shares in Windows XP
  1. On the Start menu, click My Computer.
  2. On the Tools menu, click Disconnect Network Drives…
  3. In the Disconnect Network Drives dialog box, click the drives to disconnect and click OK.

Alert level: High
This entry was first published on: May 06, 2006
This entry was updated on: Sep 19, 2006

This threat is also detected as:
No known aliases