Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

BEWARE OF I-WORM/PLAGE

                     Plage is an e-mail worm, uses MAPI functions to infect e-mail messages. The worm has an icon similar to PKLITE self extracting program, very similar to Win32/ExploreZip worm. The infection method is also similar to ExploreZip worm but it won't delete the data files in the system.

                     The infected attachment name will be  pics.exe, setup.exe, images.exe, Card.EXE, joke.exe, billgt.exe, PsPGame.exe, midsong.exe, news_doc.exe, s3msong.exe, hamster.exe, docs.exe, tamagotxi.exe, humor.exe, searchURL.exe or fun.exe.

                     When the infected file from attach is executed, the worm gets control, copies itself to the Windows directory with the INETD.EXE name and registers itself in Windows system as auto-run application: under Win9x the worm creates the new "run=WinDir\INETD.EXE" instruction in "windows" section in the WIN.INI file (where "WinDir" is the name of Windows directory); under WinNT the virus creates a new "Run=INETD" instruction in system registry.

To hide its activity the worm displays the fake Dialog box:

and then the "error" message:

Note: Where "FileName" in both messages is the name of infected EXE file that is being run.

                     While sending infected messages the worm "answers" already existing messages, so the header and message body in infected messages may have different subjects and bodies. It will send an email attachment "INETD.EXE" with the content

"P2000 Mail auto-reply:
' I'll try to reply as soon as possible.
Take a look to the attachment and send me your opinion! '

> Get your FREE P2000 Mail now! <

                     If the worm starts on Wednesday at 2:00am, it also tries to display another Dialog box. This dialog is activated only in case Borland class controls are installed, so this dialog is not usual Windows installation. The dialog contains an image of Adolf activated under Hitler, and the texts:

Follow your leader
Fight against the plage of inhumanity.
This is Plage 2000 coded by Bumblebee/29a.Plage 2000 Activation

Cleaning Procedure:

                     This worm can be cleaned manually. To clean the virus in Windows95 and 98, restart the machine in DOS mode. Then delete "INETD.EXE" in the Windows directory. Using the editor remove the entries "Run=C:\windows\INETD.EXE" in "win.ini" file.

                     To clean this worm in Windows NT, close all the programs using Task Manager. Then delete "INETD.EXE" in the WinNT directory. Plage worm will change the registry to load automatically on every boot. To remove this, open the registry using "regedit.exe" and modify the key value from "run"="INETD" to empty in the registry entry "HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\Current Version\Windows".

How can I protect my system?

Fire has incorporated Plage into its virus signature file, with the aim of helping users affected by this Worm attack to detect and eliminate it from their systems. Fire anti-virus users can update this signature file from our web site. A free utility also available to detect and clean this virus in Download Center.

Go to top of the page
.