CA warns 'Plage2000' is in the wild

The Plage2000 worm arrives as a reply to an email. It's harmless but it does automatically send a confusing response to any new emails.

Computer Associates International on Thursday warned of a new computer worm on the horizon, the "Plage2000", which could threaten computer email systems as well as e-business infrastructures.

The worm has been reported to be "in the wild" by customers of Computer Associates, the company said.

A worm is a computer program that replicates itself and spreads from computer to computer and infects an entire system. A computer virus, spreads from file to file. A worm can spread without human intervention.

The Plage2000 arrives as a reply to an email previously sent by the user. The original email will be quoted completely in the reply. The arriving email says:

P2000 Mail auto-reply:

' I'll try to reply as soon as possible. Take a look to the attachment and send me your opinion! ' Get your FREE P2000 Mail now!

The worm is attached to the message under one of the following names: pics.exe, images.exe, joke.exe, PsPGame.exe, newsdoc.exe, hamster.exe, tamagotxi.exe, searchURL.exe, SETUP.EXE, Card.EXE, billgt.exe, midsong.exe, s3msong.exe, docs.exe, humor.exe, or fun.exe.

On execution, the worm will present itself as a self-extracting WinZip file. Extracting this will cause one of the following 2 messages to be displayed:

WinZip self-Extractor ZIP damaged: file worm name: Bad CRC number. Possible cause: file transfer error


WinZip self-Extractor -- worm name:worm name -- Application Error The exception unknown software exception (0xc00000fd) occurred in the application ....

In the background the worm copies itself to the Windows directory under the name INETD.EXE and adds itself to the registry: "HKEYCURRENTUSERSoftwareMicrosoftWindows NTCurrentVersionWindowsrun WindowsDirINETD.EXE".

Every five minutes the worm tries to establish a connection to a running Outlook or Exchange client. When new emails are received it will reply to the unread emails with an email like the one above. The original messages remain unread.

Although the worm does not have a destructive payload, its email propagation mechanism poses a threat to any eExchange email infrastructure since it can overload and take down mail servers.

What do you think? Tell the Mailroom. And read what others have said.

Take me to the Virus Workshop