W32.Redplut


Aliases: Trojan.W32.Redplut, Email-Worm.Win32.VB.bd, W32/Redplut-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 17 Jan 2006
Damage: Medium

Characteristics: W32.Redplut is a worm. It attempts to spread through open file shares and lowers security settings. The worm infects Windows systems. It is a slow infector and causes medium damage to an infected computer. It can be easily removed from an infected system using an updated antivirus software.

More details about W32.Redplut

When W32.Redplut is executed, it attempts to reboot the operating system. It copies itself as the files: lcc.exe, gcc.exe, and setup32i.exe. It may also drop the following files: pluto.bmp and about.htm in the Windows System folder. It modifies the registry to make sure it loads itself every time Windows starts. It may start itself through system.ini and attempts to start the following tools: task scheduler, messenger, remote registry, SMTP, Telnet, and FTP Publishing. It tries to copy itself to existing RAR and .zip files. It also attempts to spread through open file shares found on the compromised computer. It may also disable SystemFile protection and prepend itself to the certain system executables and their .dll cache copies. The worm also lowers security settings by disabling the Windows firewall, NT Lan Manager and Automatic Updates.

The worm may change the desktop wallpaper to pluto.bmp. It may change the Internet Explorer start page to about.htm which links to microsoft.com. It appears to replace the home page on infected Internet Information Services Web servers with a page titled Redplut. It may change the text of the Start button to "Štárt" and the name of the My Computer icon to "My Cömputër". Lastly, it may copy itself as pluto.exe to random directories. Remove the threat manually by updating virus definitions, running a full scan, and deleting files detected as W32.Redplut. In addition, delete values added to the registry.