Fw: W32/Plage.worm

Parkinsn's Email List Message

Posting to the Parkinsn List is a benefit of Subscription

[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

Fw: W32/Plage.worm

Subject: Fw: W32/Plage.worm
From: Hans van der Genugten <genugten@xxxxxxxxxxxxx>
Date: Tue, 22 Feb 2000 13:58:45 -0500
Reply-to: Parkinson's Information Exchange Network <PARKINSN@xxxxxxxxxxxxxxxxxxxx>
Sender: Parkinson's Information Exchange Network <PARKINSN@xxxxxxxxxxxxxxxxxxxx>

www.mcafee.com

Virus Name
W32/Plage.worm

Date Added
1/13/00

Virus Characteristics
This is an Internet worm which can autoreply to unread email messages of
MAPI installed email clients. The autoreply message contains a brief note
along with an attachment of random EXE names. The email message will be
replied to in Unix-style format such as the example below:


----------------------------------------------------------------------------
----

Sent: Thursday, January 13, 2000 12:08 PM
To: SMTP:sender@xxxxxxxxxx
Subject: Re: original subject line
'Lastname, Firstname' wrote:
====
-
-
-
====

P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE P2000 Mail now! <


----------------------------------------------------------------------------
----

The attachment is any of the following names:
billgt.exe
card.exe
docs.exe
fun.exe
hamster.exe
humor.exe
images.exe
joke.exe
midsong.exe
news_doc.exe
pics.exe
PsPGame.exe
searchURL.exe
SETUP.EXE
s3msong.exe
tamagotxi.exe

The size of the file is 102,400 bytes and has an icon similar to PKLite self
extracting, very similar to W32/ExploreZip.worm. There is one noticeable
difference however in that this worm was not witnessed to have removed files
from the system.

When the attachment is executed, it will give a phony error message and then
install itself on Windows 9x and NT systems. In Windows 9x, it copies itself
to the Windows folder as "INETD.EXE" and modify the WIN.INI to load at next
Windows startup. In Windows NT, the worm creates a key in the registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"="Inetd"

Strings within the EXE suggest it was coded by a member of the virus group
29A.

====================

Indications Of Infection
Existence of file INETD.EXE as mentioned above, recipients of autoreplied
email notifying you of unsolicited attachment.

Method Of Infection
Running attached executable will install itself as mentioned above.

Removal Instructions
Use specified engine and DAT files for detection and removal.

Virus Information
Discovery Date: 1/13/00
Type: Virus
SubType: worm
Risk Assessment: Low

Variants
Name Type Sub Type Differences
Unknown

Aliases
I-Worm.P2000, Plage2000, W95/Plage.worm

Related Viruses
Unknown

Related Downloads
None

Related Images
None

Minimum Dat
4062

Minimum Engine
4.0.25

Prev by Message: Re: taste of sin
Next by Message: Watch 20/20 on Wed 2/23
Previous by thread: Nocotine and PD
Next by thread: Watch 20/20 on Wed 2/23
Index(es):
- Message
- Thread

Parkinsn's List Subject Index

Parkinsn's List Thread Index

Parkinsn's Archive Treasures Doctors, students, patients and caregivers find current Parkinson's information such as the Algorithm, Caregivers Handbook, and talks by respected Movement Disorder Specialists.

Mail converted by MHonArc 2.6.10

Match Keywords

Keywords:

Site Hosting donated by He.net
&
Grant from The Parkinson Alliance