Cart
Win32.Worm.Opaserv( Opasoft, Opas )
SYMPTOMS:
TECHNICAL DESCRIPTION: The worms in this family spread by copying themselves to other computers in the network that are running Windows 95/98/Me; they exploit a vulnerability in these operating systems that allows access to password-protected shares when guessing only the first character of the password. More information and a fix for this vulnerability are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp. The viruses were written in Borland C++ and Assembler.The first two sections describe the initial code of Win32.Worm.Opaserv.A; details about the other variants are available in the Worm Versions section below. The worm copies itself in the Windows folder as ScrSvr.exe; the registry entry HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr is created so that the new copy is run at every start-up; the ScrSvrOld registry entry is used to ensure that at least the old worm version is run at start-up, while upgrading it to a downloaded version. The original copy of the virus is deleted. A mutex object called “ScrSvr31415” (3.1415... are the first digits of the number pi) is used to prevent multiple copies from running at a given time. The virus will call the function RegisterServiceProcess so that the process is not listed when Task Manager is invoked. The virus will reduce its main thread’s priority so that it only runs when the computer is idle. It will create several execution threads, to replicate and update itself. For replication, it uses the SMB (Server Message Block) file sharing protocol; two threads are created by the virus for this purpose. The first of them will listen to incoming NetBIOS communication and attempt to connect (on port 139) to the remote machine’s C\ drive by trying every printable character as the password. It will transfer the virus body to the remote computer (to WINDOWS\scrsvr.exe) and modify win.ini (in the remote’s computer Windows folder) in order to include the filename of the virus in the “run =” line under the [windows] section (a temporary local file c:\tmp.ini is used in the process). This will cause the virus to be run at the next start-up on the remote computer. Another thread is used by the virus to scan for computers to infect in the network. It lists all IP’s of the local host (a.b.c.d) except for 127.0.0.1 and tries to connect to port 137 of computers with nearby IP’s: a.b.c.x a.b.c+1.x a.b.c-1.x (x iterates through all possible values) and to computers with IP’s in a random range. The worm attempts to update itself from the www.opasoft.com HTTP site and intends to store the downloaded version in the file scrupd.exe; two other temporary files (ScrSin.dat and ScrSout.dat) are used while transfering data from the update server. The site is not functional. Opaserv versions: The versions of the Win32.Worm.Opaserv family differ mainly in the names of files and mutex, address of the update site, executable packer (UPX, ASPack, PE-compact) and payload. Variant A has a minor subversion; the following names are used instead of the originals: Virus files: Alevir.exe, puta!!.exe Registry entries: Alevir, AlevirOld Temporary files: Alevir.dat, Alesout.dat, c:\put.ini Mutex: Alevir31415 Upgrade site: www.n3t.com.br Variants B, C, D and J are very similar to A; C is further encrypted and uses modified names: Virus files: marco!.scr, vaisef.exe Registry entries: Cuzao!Old, cronos Temporary files: Mane!!.dat, FDP!!!!.dat, c:\gay.ini Mutex: marquinhos! Upgrade site: www.gwmnet.com.br Variants E, F and L are encrypted and contain the text “OpaSoft Crypted By AlevirusSCS!”: Virus files: Brasil.pif (E) / Brasil.exe (F, L), puta!!.exe Registry entries: Brasil, BrasilOld Temporary files: Brasil.dat, Brasil!.dat, c:\put.ini Mutex: Brasil31415 Upgrade site: www.n3t.com.br Variant G also uses an additional encryption layer (besides the UPX packer): Virus files: instit.bat, tavinh.scr Registry entries: instit, GustavVED Temporary files: Gustav.sap, Institu.vat Mutex: GustavoDist Upgrade site: www.Gustavo.com Variant H keeps two additional log files: ScrLog records IP’s of computers that the virus attempts to infect and ScrLog2 records all scanned IP’s. Variants K and M will attempt to delete some other versions of the virus (the files scrsvr.exe, alevir.exe – and brasil.exe for M – in the Windows folder and the registry entries “scrsvr”, “alevir” – and “brasil” for M). K is packed with ASPack; the two versions use the following names: Virus files: Srv32.exe, sccss Registry entries: ..\RunServices\Srv32, Srv32Old Temporary files: Srv.tsk, Srv.res, c:\temp.ini Mutex: Srv3231415 Upgrade site: dc0.net (unavailable) Variant N is packed with PE-compact; it carries along a trojan which, under certain conditions, is executed and overwrites C:\boot.ini, and then restarts Windows (which will not be able to boot). Virus files: mqbkup.exe, update.exe Registry entries: mqbkup, mqbkupdbs Temporary files: MSBIND.DLL, mscat32.dll, c:\win.ini Mutex: mqbkup61616 Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender AntiOpaserv tool does the following: To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables. If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the 'Share Level Password' Vulnerability. You may also need to restore the affected files. ANALYZED BY: Bogdan Dragu BitDefender Virus Researcher |