Aliases: I-Worm.W95.Plage.Worm, P2000 and Plage2000.
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 13 Jan 2000
Damage: Low

Characteristics: W32.Plage.Worm first appeared on January 13, 2000. This type of worm is a memory resident worm that replies on MAP132 and spreads by responding to unread email. The email has the following message body: “I’ll try to reply as soon as possible. Take a look to the attachment and send me your opinion! > Get your FREE P2000 now! <” This worm is also known as I-Worm.W95.Plage.Worm, P2000 and Plage2000.

More details about W32.Plage.Worm

When the file attachment this W32.Plage.Worm brought is executed, the “WinZip self-Extractor – fun.exe” dialog box is displayed. Then, a fake error message that says the file is corrupted or damaged is displayed to fool the user. When it is clicked OK, the worm produces copies of itself as INETD.EXE in the Windows directory. The worm also modifies the WIN.INI file's run line to be able to load itself into memory as INETD.EXE under Windows 95 and 98. Afterwards, the worm prepares a dialog box with an animated bitmap and text is displayed when the day of the week is Wednesday between 12:00Am and 2:00AM.

The W32.Plage.Worm program may be spread via e-mails, instant messages and IRC. Peer-to-peer (P2P) file sharing networks, freeware and shareware programs websites can also contain it. Other downloader applications and drive-by-downloads can install these in the system. Users are typically tricked into accepting the infected file. It may be labeled as legitimate software or a harmless data file.