W32/Plexus.B@mm

Analysis

This 32-bit virus uses three techniques in order to infect a host -

• An attachment to an SMTP email
  
• LSASS exploit
  
• RPC DCOM exploit
  

This virus when run will attempt to connect with random IP addresses and compromise them using one of two exploits. Additionally it may send itself as an attachment to email messages sent to addresses discovered on the host system.
Loading At Windows Startup
The virus will register itself to load from its present location - it may exist as the file "svchost.exe" as this is the name used when an infected system infects a host. The registry may have an entry like this -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
NvClipRsv = C:\Winnt\System32\svchost.exe
Mydoom Resemblance
The virus contains code which looks strikingly similar to the virus Mydoom, with respect to the mass-mailing code. The virus seeks addresses on the host system by scanning certain file types (htm, html, tbb, php, txt).
The virus carries its own SMTP engine and uses mail servers on the host domain in order to send itself to others. The virus will select SMTP servers on the host domain that begin with these names, where undefineds is the host domain -
mx.undefineds
smtp.undefineds
mail.undefineds
mail1.undefineds
ns.undefineds
gate.undefineds
Internet Spreading
This virus seeks random IP addresses across the Internet, searching for any response or acknowledgement that the end point connection exists. When a response is received, the virus targets that IP and attempts to break into it by issuing an RPC exploit or LSASS exploit against the target. Once the virus is successful, the virus issues instructions to copy the virus to the target using FTP and an FTP script. The script contains these instructions -
open undefinedip addressundefined undefinedport numberundefined
l
p
get svchost.exe
quit
In the above, the port number is a random port selected by the virus during infection. The letters "l" and "p" relate to the logon ID and password respectively that the virus has established on the infected host.
Systems which are compromised may experience problems with system files SVCHOST.EXE and/or LSASS.EXE. Both system files may terminate and the system may in fact reboot, after giving a 60 second count down timer. Additional to these traits, the virus will bind with TCP port 1250 in order to receive and execute files. The Mydoom virus used TCP ports 3127 or 3128.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, enable blocking of External to Internal and Internal to External traffic to TCP ports 135 and 445