Virus Name : I-Worm/Plage
Virus type : E-mail
level : Low
an e-mail worm, uses MAPI functions to infect
e-mail messages. The worm has an icon similar to
PKLITE self extracting program, very similar to
Win32/ExploreZip worm. The infection method is
also similar to ExploreZip worm but it won't
delete the data files in the system.
The infected attachment
name will be pics.exe,
Card.EXE, joke.exe, billgt.exe, PsPGame.exe,
midsong.exe, news_doc.exe, s3msong.exe,
hamster.exe, docs.exe, tamagotxi.exe, humor.exe,
searchURL.exe or fun.exe.
When the infected file
from attach is executed, the worm gets control,
copies itself to the Windows directory with the
INETD.EXE name and registers itself in Windows
system as auto-run application: under Win9x the
worm creates the new
"run=WinDir\INETD.EXE" instruction in
"windows" section in the WIN.INI file
(where "WinDir" is the name of Windows
directory); under WinNT the virus creates a new
"Run=INETD" instruction in system
hide its activity the worm displays the fake
and then the
Where "FileName" in both messages is
the name of infected EXE file that is being run.
While sending infected
messages the worm "answers" already
existing messages, so the header and message body
in infected messages may have different subjects
and bodies. It will send an email attachment
"INETD.EXE" with the content
"P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your
Get your FREE P2000 Mail now! <
If the worm starts on
Wednesday at 2:00am, it also tries to display
another Dialog box. This dialog is activated only
in case Borland class controls are installed, so
this dialog is not usual Windows installation.
The dialog contains an image of Adolf activated
under Hitler, and the texts:
Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a.Plage
How can I protect my
Solo has incorporated W32.Plage@mm in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this worm?
can be cleaned manually. To clean the virus in
Windows95 and 98, restart the machine in DOS
mode. Then delete "INETD.EXE" in the
Windows directory. Using the editor remove the
entries "Run=C:\windows\INETD.EXE" in
this worm in Windows NT, close all the programs
using Task Manager. Then delete
"INETD.EXE" in the WinNT directory.
Plage worm will change the registry to load
automatically on every boot. To remove this, open
the registry using "regedit.exe" and
modify the key value from "run"="INETD" to empty
in the registry entry
you are already infected with this worm, you can
remove it from your computer using Solo Antivirus
software. Solo antivirus can detect and
remove W32.Plage@mm safely. Use the
following link to Download 30 day trial
version of Solo antivirus
remove viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link