Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


BEWARE OF I-WORM/PLAGE

Virus Name  : I-Worm/Plage

Virus type    : E-mail worm

Threat level : Low

Virus details :

                     Plage is an e-mail worm, uses MAPI functions to infect e-mail messages. The worm has an icon similar to PKLITE self extracting program, very similar to Win32/ExploreZip worm. The infection method is also similar to ExploreZip worm but it won't delete the data files in the system.

                     The infected attachment name will be  pics.exe, setup.exe, images.exe, Card.EXE, joke.exe, billgt.exe, PsPGame.exe, midsong.exe, news_doc.exe, s3msong.exe, hamster.exe, docs.exe, tamagotxi.exe, humor.exe, searchURL.exe or fun.exe.

                     When the infected file from attach is executed, the worm gets control, copies itself to the Windows directory with the INETD.EXE name and registers itself in Windows system as auto-run application: under Win9x the worm creates the new "run=WinDir\INETD.EXE" instruction in "windows" section in the WIN.INI file (where "WinDir" is the name of Windows directory); under WinNT the virus creates a new "Run=INETD" instruction in system registry.

To hide its activity the worm displays the fake Dialog box:

and then the "error" message:

Note: Where "FileName" in both messages is the name of infected EXE file that is being run.

                     While sending infected messages the worm "answers" already existing messages, so the header and message body in infected messages may have different subjects and bodies. It will send an email attachment "INETD.EXE" with the content

"P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE P2000 Mail now! <

                     If the worm starts on Wednesday at 2:00am, it also tries to display another Dialog box. This dialog is activated only in case Borland class controls are installed, so this dialog is not usual Windows installation. The dialog contains an image of Adolf activated under Hitler, and the texts:

Follow your leader
Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a.Plage 2000 Activation

How can I protect my system?

                   Solo has incorporated W32.Plage@mm in its signature file to protect users from this worm attack. Solo antivirus registered users are already protected from this worm. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this worm?

                     This worm can be cleaned manually. To clean the virus in Windows95 and 98, restart the machine in DOS mode. Then delete "INETD.EXE" in the Windows directory. Using the editor remove the entries "Run=C:\windows\INETD.EXE" in "win.ini" file.

                     To clean this worm in Windows NT, close all the programs using Task Manager. Then delete "INETD.EXE" in the WinNT directory. Plage worm will change the registry to load automatically on every boot. To remove this, open the registry using "regedit.exe" and modify the key value from "run"="INETD" to empty in the registry entry "HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\Current Version\Windows".

                   If you are already infected with this worm, you can remove it from your computer using Solo Antivirus software. Solo antivirus can detect and remove W32.Plage@mm safely. Use the following link to Download 30 day trial version of Solo antivirus [1670 KB] to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link