Classification

Category :

Malware

Type :

Worm

Aliases :

Plage2000, Plage 2000, P2000, I-Worm.Plage. Worm.P2000

Summary

The Plage 2000 worm was first published on some virus distribution sites before 10th of January 2000. Several days later it was found in the wild in several countries.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm itself is a PE executable 102400 bytes long. It is not encrypted, but there could appear encrypted versions of this worm that might make its detection harder. The worm has a WinZip icon pretending to be a self-extracting ZIP archive.

The Plage worm arrives as an email attachment and being run installs itself to system as INETD.EXE to root Windows folder. The worm then modifies WIN.INI file and Registry to be run during every further Windows sessions. Being active in memory the worm communicates with MAPI-compatible email browsers, looks for unanswered messages and replies to them itself. The worm's reply message looks like an ordinary autoreply that many people use while they can't read their emails:

P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '
Get your FREE P2000 Mail now!

The worm's body is always attached to the message. The file name of the attachment is randomly selected by the worm from the following variants:

pics.exe
images.exe

joke.exe
PsPGame.exe

news_doc.exe
hamster.exe

tamagotxi.exe
 
searchURL.exe

SETUP.EXE
Card.EXE

billgt.exe
midsong.exe

s3msong.exe
docs.exe

humor.exe
fun.exe

When a recepient gets this message and clicks on the attachment (which, he thinks is a ZIP archive) the worm infects his system as well. First the worm outputs a WinZip Self-Extractor -like dialog:

When a user clicks on 'Unzip' or 'Run WinZip' buttons the worm displays a fake error message and installs itself to system:

If 'Close' button is clicked the worm installs itself to system and exits without displaying anything. If any other button is clicked a standard Windows error message is displayed and the worm installs itself to system as well.

Being active the worm checks date and time and on Wednesdays right after midnight it tries to display a dialog with the following picture:

and the following text:

Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a.

The worm doesn't have any destructive payload. But as it spreads itself with a trustworthy message so it may become widespread quickly.