Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Plage

Win32/Plage is a worm spreading as a file in an e-mail message attachment. The worm spreads by means of answering the e-mail messages that have not been read yet.
The body of the message with the worm is formed by the following text:

I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion!
%gt; Get your FREE P2000 now! <

In the attachment is a 102400 bytes long file. As a filename one of the following strings may be used: pics.exe, images.exe, joke.exe, PsPGame.exe, news_doc.exe, hamster.exe, tamagotxi.exe, searchURL.exe, SETUP.EXE, Card.EXE, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe or fun.exe.
When the file in the attachment is run the worm displays the following window:

After clicking the following window with a fake erroneous message appears:

The worm copies itself under the name INETD.EXE into the directory in which the operating system Windows is installed. It ensures its re-activation also by a write into the section RUN of the file win.ini. This modification can be removed from Windows but as long as the worm is active in memory it will always renew it. The worm has implemented a stealth characteristic – it is not visible in the list of tasks. After being executed the worm waits for 5 minutes and then starts answering e-mail message that have not been read yet. The worm marks messages it has already answered by adding 2 spaces into the message subject.
When the worm is executed on Wednesday and before 2 o’clock it displays the following window with the picture:

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.