To spread via network shares or P2P filesharing networks such as Kazaa, the worm copies itself to shared folders as Shrek_2.exe, InternetOptimizer1.05b.exe, AVP5.xcrack.exe, ICQBomber.exe, UnNukeit9xNTICQ04noimageCrk.exe, YahooDBMails.exe, or hx00def.exe. Via email, the worm attachment is named either SecUNCE.exe, AtlantI.exe, AGen1.03.exe, demo.exe, or release.exe.
Depending on the variant, Plexus drops copies of itself to the Windows system folder as either (or both) supu.exe and upu.exe and modifies the HKLM\...\Run key in the System Registry so the worm is called when Windows is started.
Plexus has two malicious payloads. The first affects all victims of the worm, creating a backdoor on port 1250 of infected systems that can be later exploited to upload and execute malicious files. The second payload affects Kaspersky AntiVirus customers, overwriting the HOSTS file so that any attempts to access the Kaspersky update servers are redirected to the local loopback address.
Updated antivirus software should be used to detect and remove the worm. Kaspersky users who are unable to update should locate and delete the HOSTS file or restore a clean copy from backup, then update the Kaspersky software.
To prevent infection via the Internet, patch the system to protect against the RPC/DCOM and LSASS vulnerabilities. Visit the Windows Update site regularly to scan for known critical flaws and install any patches marked as critical. Avoid opening executable attachments via email and avoid using filesharing P2P networks.
