Worm.Win32.Opasoft (a.k.a. Opaserv)
The Opasoft network worm virus, also known as "Opaserv" has a backdoor
trojan routine. The worm spreads over local and wide-area networks using
MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with
a length of about 28KB.
Installation
The worm installs itself to the Windows directory with the name
"scrsvr.exe" and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%
Opasoft then deletes its original file (from where it was started).
Spreading
In order to find victim computers Opasoft scans subnets for port
137 (NETBIOS Name Service). IP addresses of the following networks are
scanned:
current subnet of the infected computer (aa.bb.cc ??)
the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1
?? , aa.bb.cc-1 ??)
selects subnets randomly (excluding those where scanning is disabled)
If, while searching (scanning) Opasoft happens upon a responding
IP address (of an actual computer), the worm then scans the two nearest
subnets of that IP address.
When "reply data" is received Opasoft checks a special field contained in it. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.
During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:
sets a connection with the \\hostname\C resource(where "hostname"
= the name of the victim computer which is defined when the victim computer
answers Opasoft (by sending its "reply data") during the scan)
if the resource is password protected the worm runs through all
possible "one symbol" passwords - conducting a "brute-force" attack.
If connection is successful, Opasoft transmits its EXE file - during
transmission the full name of the destination file containing the code
(exe file) is revealed:
WINDOWS\scrsvr.exe
Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:
C:\TMP.INI
to this C:\TMP.INI file the worm copies the auto run command that
is placed in the victim computer's Windows system directory upon being
sent back to the victim computer.
To receive the packets from the remote computer two files appear
on the victim machine:
\WINDOWS\scrsvr.exe - a copy of the Opasoft worm
\WINDOWS\win.ini - A Windows INI file which contains the auto-run
command (to "auto-run" the Opasoft worm)
The second file, win.ini, results in Opasoft gaining control of
the victim computer upon system restart.
Backdoor
The backdoor routine goes to the www.opasoft.com WEB-site and performs the following actions:
downloads and executes its latest version (if there is one)
downloads and processes script files placed at this site
New worm versions are downloaded to the file "scrupd.exe". This
file is then run, and replaces the existing worm copy.
While processing the backdoor it uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.
Because the server at www.opasoft.com is down, it is not possible
to get more information about this backdoor routine.
Technical Details
To avoid double twice on the same machine the worm creates a "Windows
mutex" under the "ScrSvr31415" name.
Win9x machines are infectable while the infectinon of WinNT machines is highly unlikely and almost impossible.
One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.
Removal
The worm caused global epidemy and hit many Win9x systems because
of following reasons:
it spreads by using standard NETBIOS protocol
the "\\hostname\C" resource name is default name on opening a share
on C: drive
there is no request for password on share opening
many users don't pay enough attention to password length and security.
To get rid of the worm and to avoid reinfection it is necessary to:
disable file sharing, or apply a safe enough password to opened shares
delete infected EXE file
remove worm's "run" commands from WIN.INI file and system registry
(see above)
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
081002/121002/100904/051004
