x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Plexus.B

Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Plexus.B
Technical name:W32/Plexus.B.worm
Threat level:Low
Type:Worm
Effects:  

It opens two ports, through which the worm can download and run files on the affected computer. It spreads by exploiting the LSASS and RPC DCOM vulnerabilities and restarts the computer.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:June 7, 2004
Detection updated on:June 7, 2004
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    

Plexus.B is a worm that spreads through different means:

  • Through the Internet by exploiting the RPC DCOM and LSASS vulnerabilities in remote computers. The RPC DCOM vulnerability is critical for Windows 2003/XP/2000/NT computers that are not properly updated, whereas the LSASS vulnerability is critical for Windows XP/2000 operating systems that have not been patched.
  • Via e-mail, in an e-mail message with an attached file.
  • Through the peer-to-peer (P2P) file sharing program KaZaA.
  • Across computer networks.

When it exploits the LSASS vulnerability, Plexus.B can only affect and spread automatically to Windows XP/2000 computers that have their port 5000 open (by default, this port is open in Windows XP whereas it is closed in Windows 2000). However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.

However, when it exploits the RPC DCOM vulnerability, Plexus.B affects Windows 2003/XP/2000/NT computers.

In both cases, Plexus.B restarts the computer automatically.

Plexus.B opens the TCP port 1250 and a random port and listens to them. If it were a connection available thorugh these ports, a remote user could download and execute files in the affected computer.

If you have any of the Windows operating systems mentioned above installed in your computer, it is highly recommendable to download the security patches for the RPC DCOM and LSASS vulnerabilities from the Microsoft website.

Visible Symptoms 

    

Plexus.B is easy to recognize, as it restarts computers when it attempts to affect them by exploiting the RPC DCOM (Windows 2003/XP/2000/NT) or LSASS (Windows XP/2000) vulnerabilities.

For example, if Plexus.B successfully exploits the LSASS vulnerability, the following message is displayed on screen:

A similar message is displayed when exploiting the RPC DCOM vulnerability.