Worm Exploits Multiple Windows Vulnerabilities

Dubbed Plexus, by Moscow-based Kaspersky Labs, and Explet.a, by Symantec, the worm uses multiple methods to infect PCs, including exploiting a pair of vulnerabilities in Windows.

"The worm's payload threatens systems worldwide," said Kaspersky Labs in an e-mailed statement.

Although its payload can arrive in the more traditional manner as an executable file attachment to an e-mail message, Plexus/Explet can also infect systems without any human intervention by exploiting 2003's RPC DCOM vulnerability--the one that MSBlast used last August--and this year's LSASS vulnerability, the route that Sasser took in late April and early May.

Both vulnerabilities can be exploited by attackers without requiring any user action. Like its MSBlast and Sasser predecessors, Plexus/Explet scans for unpatched systems--fixes for both vulnerabilities are available via Microsoft's Windows Update service Web site--and inserts its code unseen.

Sponsored post

"The interesting thing about this worm is that it combines multiple vulnerabilities," said Vincent Gullotto, the vice president of Network Associates' AVERT research team. Network Associates has trapped a sample of the worm, but has not yet assigned it a name.

"We're only going to see more of this as we go forward," said Gullotto. "Hackers are trying to use multiple opportunities to infect systems, use as many different avenues as possible."

"This is a perfect example of a blended threat," added Brian Dunphy, the director of Symantec's managed securities services group. "It's primarily a mass-mailer from what we've seen so far, but like worms such as Nimda, it exploits multiple vulnerabilities within Windows."

Nimda, a worm that debuted in 2001, exploited multiple vulnerabilities simultaneously, as well as backdoors left by the even older Code Red. It was "the mother of all proof-of-concept viruses," according to Network Associates' Gullotto. But malicious code that tries to take advantage of more than one vulnerability in Windows is still "relatively uncommon," he added.

Plexus/Explet can also arrive as one of five different .exe file attachments in messages using one of five different subject lines, and uses a third method to spread through shared network folders and the KaZaa file-sharing network. When using that tactic, the worm may be tucked into a file named "Shrek_2.exe," an attempt to entice users to open the file thinking it's a digital copy of the popular animated film that opened recently.

The worm also specifically targets Kaspersky Labs' anti-virus software by disabling its automatic update capabilities. "Plexus replaces the contents of a folder in the system registry: until this folder is deleted from infected machines, users will need to download updates manually," warned Alexey Zernov of Kaspersky.

Although Symantec wasn't able to confirm, Kaspersky Labs claimed that its analysis revealed that some of the code in Plexus/Explet is re-used source code from the destructive MyDoom worm of earlier this year.

"But I wouldn't be surprised if that's the case," said Dunphy. "It's very common for viruses to share code these days."

Currently, Plexus/Explet is rated as a "moderate" threat by Kaspersky and a "2" by Symantec, using its 1 through 5 scale. But because the worm opens a backdoor via TCP port 1250, then reports back when it infects a system, both security firms are watching the worm closely.

"If it does go wide scale," said Dunphy, "the backdoor could be used to plant additional code, to essentially upgrade the worm."

In other security news, Symantec upped its threat level for the Korgo.f worm on Wednesday from a 2 to a 3, citing a dramatic spike in submissions yesterday from both corporate and consumer customers.

The Korgo family, which also exploits the LSASS vulnerability within Windows, first appeared last week, when three variations debuted. Since then, four new copy-cats, including Korgo.f and, the most recent, Korgo.g, have been detected.

"The changes between the variations are very, very subtle," said Symantec's Dunphy.

Although the number of Korgo.f submissions Symantec received began to plateau late Wednesday, the security firm is keeping the threat level at "3" for the time being.

Korgo.g, which first appeared Wednesday, is also on the radar of several anti-virus firms. Symantec rated this version as a 2, but Gullotto of Network Associates said "we're watching this one closely."

The success of worms such as Plexus/Explet and Korgo are additional proof--as if it's needed--that not everyone is patching vulnerabilities in Microsoft's Windows.

"Clearly, not everyone's patched," said Gullotto. "And with next Tuesday being the scheduled day for Microsoft to release June's [security bulletins], there will undoubtedly be more things that people will have to patch."

*This story courtesy of Techweb.com.