Re: Opaserv - A Complete Guide - Security

Author	All Replies
Randy Bell Premium join:2002-02-24 Santa Clara, CA	reply to Randy Bell Re: Opaserv - A Complete Guide ------------------------------------------------------------------- Opaserv: First Major Variant - SCRSVR.EXE ------------------------------------------------------------------- NOTE: this worm drops a copy of itself named as SCRSVR.EXE in the Windows directory. (Panda) it spreads across networks and attempts to connect to a webpage to update itself. # In spreading, the worm attempts to copy itself to WindowsScrSvr.exe on the remote machine. # A Run key is added to WIN.INI on the remote machine, to run the worm at startup. For example: "Run=C:WINDOWSSCRSVR.EXE" SYMPTOMS: -- Presence of any of the following: * %WinDir%ScrSvr.exe * C:SCRSDAT.IN, C:SCRSDAT.OUT (local infection) * C:TMP.INI (when machine remotely infected) (Trend also reports that, in addition to the two files SCRSDAT.IN and SCRSDAT.OUT, its sub-variant 'D' drops a third file in the root C: directory named SCRLOG2, a file which earlier versions of the worm did not drop. VSantivirus reports that its sub-variant 'D' drops two files, ScrLog and ScrLog2, in the Windows directory, as does Trend's sub-variant 'C'. Trend states that ScrLog and ScrLog2 are encrypted, and that the worm also has the ability to update itself with a copy named scrupd.exe which is used to replace the current copy). -- Existence of either of the following Registry keys: * HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "ScrSvr" = %WinDir%ScrSvr.exe * HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "ScrSvrOld" = (filename executed, if not %WinDir%ScrSvr.exe) -- Considerable port 137 traffic (UDP) originating from infected machine(s). The worm uses SMB (Server Message Block Protocol) in Windows operating systems to access shared network resources through port 139 (NetBeui), taking advantage of a well-known vulnerability in the way Windows 9x/Me verifies share passwords, so that it can gain access with a single character (letter or number) without knowing the whole password. Microsoft's correction to this password vulnerability is here: http://www.microsoft.com/technet/security/...in/ms00-072.asp 1. Trend: WORM_OPASERV.A http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.A Discoved: 9/30/02 Size of virus: ~28,672 Bytes Alias: Backdoor.Opasoft, OPASOFT, W32.Opaserv.Worm, WORM_OPASOFT.A Sub-Variants: WORM_OPASERV.B http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.B Discovered: 10/4/02 Size of virus: 28,672 Bytes Alias: Win32.Opaserv.B worm, W32/Opaserv-B, Win32/Opaserv.B.worm, Worm.Win32.Opasoft.b, W32/Opaserv.worm, WORM_OPASOFT.B WORM_OPASERV.C http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.C Discovered: 1/30/03 Size of virus: 28,672 Bytes Alias: W32/Opaserv.worm.c, Worm.Win32.Opasoft.c WORM_OPASERV.D http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.D Size of virus: ~27,136 Bytes Discovered: 10/3/02 Alias: Backdoor.Opasoft, OPASOFT, W32/Opaserv.D.Worm, Worm.Win32.Opasoft.d, WORM_OPASOFT.D WORM_OPASERV.J http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.J Related to 'C', but this variant does not delete itself upon execution. Discovered: 1/30/03 Size of virus: 65,536 Bytes Alias: none listed 2. Symantec: W32.Opaserv.Worm http://securityresponse.symantec.com/avcen...aserv.worm.html Size of Virus: 28,672 bytes Discovered: 9/30/02 Alias: W32/Opaserv.worm [McAfee], W32/Opaserv-A [Sophos], Win32.Opaserv [CA], WORM_OPASOFT.A [Trend], Worm.Win32.Opasoft [AVP] 3. McAfee: W32/Opaserv.worm http://vil.nai.com/vil/content/v_99729.htm Discovered: 09/28/02 Length: 28,672 bytes Sub-Variants: W32/Opaserv.worm.b - minor differences only W32/Opaserv.worm.c - minor differences only W32/Opaserv.worm.d - minor differences only 4. Sophos: W32/Opaserv-A http://www.sophos.com/virusinfo/analyses/w...32opaserva.html Alias: Opasoft Sub-Variants: W32/Opaserv-B http://www.sophos.com/virusinfo/analyses/w...32opaservb.html Alias: Worm.Win32.Opasoft.b, BackDoor-ALB trojan W32/Opaserv-D http://www.sophos.com/virusinfo/analyses/w...32opaservd.html Alias: Worm.Win32.Opasoft.d, BackDoor-ALB trojan W32/Opaserv-E http://www.sophos.com/virusinfo/analyses/w...32opaserve.html ('A', 'B', 'D', 'E' -- detected by Sophos since 10/02) 5. Panda: Opaserv http://www.pandasoftware.com/virus_info/en...x?idvirus=37403 Alias: Bck/Opasoft, WORM_OPASOFT.A Discovered: 9/30/02 Sub-Variants: Opaserv.C http://www.pandasoftware.com/virus_info/en...x?idvirus=37464 Size of virus: 28672 Bytes Discovered: 10/22/02 Opaserv.gen http://www.pandasoftware.com/virus_info/en...x?idvirus=37495 Size of virus: 24050 Bytes Discovered: 10/23/02 6. Kaspersky: Worm.Win32.Opasoft (a.k.a. Opaserv) http://www.viruslist.com/eng/viruslist.html?id=52256 Discovered: 9/30/02 7. VSantivirus: W32/Opasoft.A http://babelfish.altavista.com/babelfish/u...2Fopasoft-a.htm Size of virus: 28672 bytes Discovered: 9/30/02 Alias: W32.Opaserv.Worm, W95/Scrup.worm, Worm_Opasoft.a, W32/Opasoft-A, OpaSoft, Worm/OpaSoft, BackDoor-ALB, Backdoor.Opasoft, Bck/Opasoft, Worm.Win32.Opasoft, WORM_OPASOFT, WORM_OPASOFT.A, W32/Opaserv.worm, W32/Opaserv-A, Win32.Opaserv, W32/Scrup.worm, Worm.Win32.Opasoft.a, Opasoft, Scrup Sub-Variant: W32/Opasoft.B http://babelfish.altavista.com/babelfish/u...2Fopasoft-b.htm (slight modification of A-variant's encryption algorithm) Size of virus: 28 Kb (approx.) Discovered: 10/2/02 Alias: W32/Opaserv-B, Worm.Win32.Opasoft.b, BackDoor-ALB Trojan Sub-Variant: W32/Opasoft.D http://babelfish.altavista.com/babelfish/u...2Fopasoft-d.htm Alias: Win32.Opaserv.D, Win32/Opaserv.D.Worm, W32/Opaserv.worm, W32.Opaserv.Worm 8. Computer Associates: Win32.Opaserv.A http://www3.ca.com/virusinfo/Virus.asp?ID=13234 Last Modified: 12/11/02 Alias: W32.Opaserv.Worm, W32/Scrup.worm, Worm.Win32.Opasoft.a Sub-Variants: Win32.Opaserv.B http://www3.ca.com/virusinfo/Virus.asp?ID=13308 Last Modified: 12/11/02 Alias: Win32/Opaserv.B.Worm, W32/Opaserv.worm, W32.Opaserv.Worm NOTE: uses a slightly different internal encryption algorithm to the 'A' variant. Win32.Opaserv.D http://www3.ca.com/virusinfo/Virus.asp?ID=13309 Last Modified: 12/11/02 Alias: Win32/Opaserv.D.Worm, W32/Opaserv.worm, W32.Opaserv.Worm NOTE: creates two extra log files in the Windows directory:"ScrLog" and "ScrLog2". 9. F-Secure: Opaserv http://www.europe.f-secure.com/v-descs/opasoft.shtml Windows PE EXE file Discovered: end of Sept. 2002 Size of Virus: about 28 KB Alias: Worm_Win32_Opasoft, Worm.Win32.Opasoft, I-Worm.Opasoft, W95/Scrup.worm, W32.Opaserv.Worm, Opasoft, Scrup ------------------------------------------------------------------- Opaserv: Second Major Variant - BRASIL (.PIF, .EXE) ------------------------------------------------------------------- NOTE: Upon execution, this worm decrypts its codes and then copies itself into the Windows directory as BRASIL.PIF or BRASIL.EXE. It then transfers execution to the dropped file and deletes the executed file. SYMPTOMS: Indicators of infection include: * Existence of files Brasil.dat and Brasil!.dat in the C: directory, which indicates a local infection (that is, the worm was executed on the local computer). * Existence of Put.ini file in the C: directory, which may indicate a remote infection (that is, the computer was infected by a remote host). * The registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun contains the string value Brasil or BrasilOld, which is set to C:WINDOWSBrasil.pif or C:WINDOWSbrasil.exe. TECHNICAL DETAILS (Panda): The worm makes WINS queries (through the NetBIOS protocol) to several consecutive IP addresses, searching for shared W9x/Me drives. Once the worm has obtained a computer's NetBIOS name, it starts a remote session and tries to access the remote computer's C: drive. If the worm manages to do this, it connects to the drive (regardless of the fact that this is password-protected or not), and copies itself under the name PUT.INI. PUT.INI is a copy of the WIN.INI system file, with the following entry added in [windows] section: "run = C:WINDOWSBRASIL.PIF". The worm then renames PUT.INI as WIN.INI in the remote computer, ensuring that it is run the next time the remote computer is started up. Finally, the worm tries to connect to other drives in the attacked computer's subnetwork, as well as other random IPs. The worm inserts the following entry in the Windows Registry: HKLMSoftwareMicrosoftWindowsCurrentVersionRun "brasil=%WinDir%brasil.exe" or "brasil=%WinDir%brasil.pif" In this way, the worm ensures it is run every time Windows is started up. As with all the Opaserv family, the worm spreads mainly across shared network drives, in the following way: * It looks for network IP addresses, as well as some random IP addresses. * It makes a call to port 137. * On getting a response, it spreads through port 139, copying itself to the remote computer's C:windows directory under one of the following names: BRASIL.EXE or BRASIL.PIF. Again, as with all the Opaserv family, this worm exploits the Share Level Password vulnerability, based on an inconsistency in password-protection of shared drives in Windows Me/98/95 operating systems. 1. Trend: WORM_OPASERV.E http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.E Filename: BRASIL.EXE Size of virus: 24,064 Bytes Discovered: 10/20/02 Alias: OPASOFT, OPASERV Sub-Variant: WORM_OPASERV.P http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.P Filename: BRASIL.EXE Size of virus: 47,616 Bytes Discovered: 1/31/03 Alias: W32/Opaserv.worm.p, Worm.Win32.Opasoft.a, Win32/Opaserv.A.worm, Win32/Opaserv.Worm, Win32.Opaserv.P 2. Symantec: W32.Opaserv.E.Worm http://securityresponse.symantec.com/avcen...erv.e.worm.html Size of Virus: 24,064 bytes Discovered: 10/23/02 Alias: W32.Opaserv.Worm, WORM_OPASERV.E [Trend], W32/Opaserv-C [Sophos], Win32.Opaserv.E [CA], W32/Opaserv.worm [McAfee] 3. McAfee Sub-Variants: http://vil.nai.com/vil/content/v_99729.htm W32/Opaserv.worm.e - Filename: BRASIL.PIF (may be 24,064 bytes) W32/Opaserv.worm.f - Filename: BRASIL.EXE (may be 24,064 bytes) (For updates these variants use the website "www.n3t.com.br") 'e' and 'f' Discovered: 10/21/02 W32/Opaserv.worm.p - Filename: BRASIL.EXE (47,616 bytes) 4. Sophos: W32/Opaserv-C http://www.sophos.com/virusinfo/analyses/w...32opaservc.html Discovered: (unspecified) Alias: Opaserv-E 5. Panda: Opaserv.E http://www.pandasoftware.com/virus_info/en...x?idvirus=37460 Size of virus: 24,064 bytes discovered: 10/19/02 Alias: W32/Silbra 8. Kaspersky: Worm.Win32.Opasoft.a (a.k.a. Brasil) http://www.viruslist.com/eng/viruslist.html?id=52256 Disovered: 10/19/02 - 10/20/02 7. VSantivirus: W32/Opasoft.E (Silbra) http://babelfish.altavista.com/babelfish/u...2Fopasoft-e.htm (packed by UPX and encrypted with PCPEC) Size of virus: 24064 bytes Discovered: 10/19/02 Alias: Win32.Opaserv.E, Win32/Opaserv.E.Worm, WORM_OPASERV.E, W32/Opaserv.E, W32/Silbra, W32/Opaserv-C 8. Computer Associates: Win32.Opaserv.E http://www3.ca.com/virusinfo/Virus.asp?ID=13421 Filename: Brasil.exe Last Modified: 12/11/02 Alias: WORM_OPASERV.E, Win32/Opaserv.E.Worm, W32/Opaserv.worm.f, W32/Opasoft.F Sub-Variant: Win32.Opaserv.F http://www3.ca.com/virusinfo/Virus.asp?ID=13423 (encrypted and UPX-packed) Filename: Brasil.pif Last Modified: 12/11/02 Alias: WORM_OPASERV.E, Win32/Opaserv.F.Worm, W32/Opaserv.worm.e, Worm.Win32.Opasoft.a 9. F-Secure: Opasoft.A http://www.europe.f-secure.com/v-descs/opasoft.shtml encrypted by "PCPEC" and compressed by "UPX" Discovered: middle October 2002 Alias: Worm.Win32.Opasoft.a, Brasil ------------------------------------------------------------------- Opaserv: Third Major Variant - ALEVIR.EXE ------------------------------------------------------------------- According to Sophos, its generic opaserv worm can also create a file called ALEVIR.EXE in the Windows folder. Note that McAfee's sub-variant 'g' does have an associated filename of ALEVIR.EXE, as do Trend's 'F' and 'G' -- but the others go by SCRSVR.EXE. Thus this category is the same as Opaserv 'A', except the associated filename is ALEVIR.EXE rather than SCRSVR.EXE. Trend's 'F' creates a file named PUT.INI in the C: directory and copies the content of %Windows%win.ini into this file. Then it adds this entry in the [windows] section of a put.ini file: "run = %Windows%ALEVIR.EXE" SYMPTOMS: * Presence of a program file named ALEVIR.EXE in the Windows directory * Presence of this registry entry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Alevir = "%Windows%ALEVIR.EXE" Note that Trend's sub-variant 'G' also adds this registry entry: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "AlevirOld = (path and file name of originally executed worm file)" According to Trend, this worm also drops the files, Alevir.dat and AleSout.dat, in the C: directory. It uses these files during information exchange with http://www.n3t.com.br (a download site that is no longer active). TECHNICAL DETAILS (Trend): Arrival: like previous OPASERV variants, the worm arrives on host machines with shared drive Cs that allow full access. It can also arrive on password-protected shared drive Cs on network machines that employ the share-level access control and do not have the patch for the Share Level Password Vulnerability installed. Installation: on first execution, this worm copies itself to the Windows directory as Alevir.exe. It then adds two registry entries: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "Alevir=%Windows%Alevir.exe" HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun "AlevirOld = (path and file name of originally executed worm file)" The first entry, Alevir, enables the dropped worm copy at Windows startup. The second entry, AlevirOld, is used by the worm to temporarily save the full path and file name of the executed worm file. It does this so that on its next execution, it can locate and delete the file. The worm then executes its dropped copy, Alevir.exe, terminates itself and lets Alevir.exe take control. The newly loaded worm file then deletes the originally executed malware file, which it locates by referring to by the registry entry, AlevirOld. After deleting the file, it also deletes the corresponding registry entry. To ensure that only one one instance of itself is in memory, this worm first creates a unique mutex named Alevir31415, and then stays resident. The worm registers itself as a service process, thereby hiding itself from the Close Program dialog box, which is displayed on Windows 95, 98, and ME when CTRL+ALT+DEL is pressed. (Note: This worm only executes on Windows 95, 98, and ME.) Network Propagation: the worm propagates via network shared drive Cs using the Share Level Password vulnerability which allows a remote user or application to access a Windows 9x and Me shared file or folder, without knowing the entire password assigned to the share. If a drive is password-protected, this worm uses a brute force technique to gain access to the shared drive. To scan the network for potential hosts, this worm uses the standard Netbios "nbstat" frames, which elicits a node status response from Netbios and SAMBA clients. This response contains a listing of any Netbios name known to that node. The infection process begins with an nbstat request frame. When the nbstat is answered, this worm follows it with a TCP session at port 139, which attempts to mount a share named "C." It looks for machines in the same domain that has shared drive Cs with full access. It registers itself as a service and repetitively scans for machines connected to the network. It uses SMB (Server Message Block Protocol) commands to access the shared drives. Once it finds a potential host machine, it remotely copies itself to the Windows directory of that machine as Alevir.exe. Afterwards, it copies the WIN.INI file of the target machine as PUT.INI in the directory C:. It then modifies PUT.INI by inserting the full path name of the dropped Alevir.exe in the run field. Finally, it overwrites WIN.INI file with the contents of the modified PUT.INI, which allows the dropped worm copy to execute on the host machine on the next restart. The worm-modified WIN.INI contains the following text in the [windows] section, which launches the dropped worm copy: run = %Windows%Alevir.exe (Note: Although, it is possible for a Windows NT, 2000 or XP machine to receive a copy of this worm from a remote infected machine, this copy will not activate or execute on these machines.) Other Details: The worm appears to sends information to the site http://www.n3t.com.br. Also apparent in its codes is that it downloads updates of itself from the same Web site and saves these updated copies as puta!!.exe. It also drops the files, Alevir.dat and AleSout.dat, in the C: directory, and uses these files during the information exchange with http://www.n3t.com.br. At the time of this writing, the download site is down and inaccessible. 1. Trend: WORM_OPASERV.F http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.F Size of virus: 26,624 Bytes Related to 'E' worm Discovered: 10/24/02 Alias: Worm.Win32.Opasoft.a, Win32/Opaserv.A.worm, W32/Opaserv-A, Win32/Opaserv.Worm, Win32.Opaserv.A worm Sub-Variant: WORM_OPASERV.G (upgraded copy uses filename puta!!.exe) http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.G Size of virus: 28,672 Bytes Variant of 'A' worm Discovered: 10/29/02 Alias: W32/Opaserv.worm.g, W32/Opaserv.worm.C, Worm.Win32.Opasoft.a 2. McAfee Sub-Variant: W32/Opaserv.worm.g - Filename: ALEVIR.EXE (28,672 or 32,256 bytes) http://vil.nai.com/vil/content/v_99729.htm 3. Symantec, Sophos, and Kaspersky: detection under the same generic name as with the 'A' variant. 4. Panda: Opaserv.F http://www.pandasoftware.com/virus_info/en...x?idvirus=37493 Discovered: 10/23/02 5. VSantivirus: W32/Opasoft.F http://babelfish.altavista.com/babelfish/u...2Fopasoft-f.htm (packed by UPX and encrypted with PCPEC) Discovered: 10/23/02 Size of virus: 24 Kb Alias: W32/Opaserv.F 6. Computer Associates: There is a minor variant of Opaserv.A in the wild that uses different filenames, although apart from this small modification, it is identical in function. When run, the worm copies itself to the Windows directory. It then adds the following value to the registry so that this copy is run each time Windows starts: HKLMSoftwareMicrosoftWindowsCurrentVersionRunAlevir="%Windows%alevir.exe" It also creates the following registry value: HKLMSoftwareMicrosoftWindowsCurrentVersionRunAlevirOld="alevir.exe" This value is set to the file from which the worm was originally run. This registry key is later deleted. The files Alevir.dat and AleSout.dat are also created in the %Windows% directory. 7. F-Secure: detected as Opaserv.A http://www.europe.f-secure.com/v-descs/opasoft.shtml ------------------------------------------------------------------- Opaserv: Fourth Major Variant - PUTA!!.EXE ------------------------------------------------------------------- SYMPTOMS: * Presence of a program file named PUTA!!.EXE in the Windows directory * Presence of this registry entry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Alevir = "%Windows%PUTA!!.EXE" When this version of the worm detects an accessible unit, it copies PUTA!!.EXE in the Windows directory: C:WindowsPUTA!!.EXE and adds the following to the [Windows] section of WIN.INI: "run = C:WindowsPUTA!!.EXE" and adds the following key to the registry: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun "Puta!=C:WindowsPUTA!!.EXE" 1. Trend: WORM_OPASERV.L http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.L (usually packed by UPX and encrypted by PCPEC) Size of virus: 29,065 Bytes Discovered: 2/1/03 Alias: W32/Opaserv.worm.L,, Win32/Opaserv.Worm, Win32/Opaserv.A.worm, W32/Opaserv.worm, Worm.Win32.Opasoft.a, I-Worm/Opas.L NOTE: Trend's 'G' variant uses uses filename puta!!.exe in its downloaded upgrade) 2. Symantec: W32.Opaserv.E.Worm uses the file Brasil.exe or Brasil.pif, but it also appears to be able to update itself by reading files from a Web site whose URL is hardcoded within the worm, and attempts to download an update named Puta!!.exe. http://securityresponse.symantec.com/avcen...erv.e.worm.html 3. McAfee Sub-Variant: W32/Opaserv.worm.l - Filename: PUTA!!.EXE (29,065 bytes) http://vil.nai.com/vil/content/v_99729.htm 4. Panda: Opaserv.G http://www.pandasoftware.com/virus_info/en...x?idvirus=37494 Discovered: 10/23/02 4. VSAntivirus: W32/Opasoft.G http://babelfish.altavista.com/babelfish/u...2Fopasoft-g.htm (packed by UPX and encrypted with PCPEC) Discovered: 10/23/02 Size of virus: 24 Kb Alias: W32/Opaserv.G ------------------------------------------------------------------- Opaserv: Fifth Major Variant - MARCO!.SCR ------------------------------------------------------------------- SYMPTOMS: * Existence of files Mane!!.dat or FDP!!!!.dat in the C: directory, which indicates local infection. * Existence of the Gay.ini file in the C: directory, which may indicate remote infection. * The registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrent VersionRun contains the string value cronos or Cuzao!Old, which is set to %windows%marco!.scr. When executed the worm will create a file called marco!.scr in the Windows folder on the current drive. The worm then adds the following registry entry to run itself when the system starts: HKLMSoftwareMicrosoftWindowsCurrentVersionRun "cronos=%windows%marco!.scr" (Symantec: string value "cronos" may be "Cuzao!Old'" instead.) The worm attempts to copy itself to the Windows folder on networked computers with open shared drives. When the worm has successfully infected another computer it creates (locally) a file called gay.ini which is a copy of the win.ini file from the newly infected computer. The worm modifies this file to ensure the worm copy will be run on system start and then copies gay.ini back to win.ini on the newly infected computer. According to Trend, WORM_OPASERV.I drops the files, Mane!!.dat and FDP!!!!.dat in the C: directory, which are used during information exchange with the sites http://www.gwmnet.com.br and http://www.cronos.tica.com.br (currently down and inaccessible). NOTES (Symantec): * The worm modifies C:WindowsWin.ini before it copies itself as C:WindowsMarco!.scr. Therefore, antivirus products will find and delete C:WindowsMarco!.scr after the system has been altered, but not before the worm modifies the Win.ini file. As a result, when you restart the computer, you may see a message that Marco!.scr cannot be found. To fix this, remove the line that the worm added. * The worm is apparently coded to add this line to Win.ini: "run= c:gay.ini" However, in actual infections or detections, the worm has added the line "run= c:WindowsBrasil.exe,c:WindowsBrasil.pif,c:Windowsmarco!.scr" * The worm also creates the file named C:Gay.ini, which contains the text "run= c:WindowsBrasil.exe,c:WindowsBrasil.pif,c:Windowsmarco!.scr" The worm also appears to be able to update itself by reading files from a Web site whose URL is hardcoded within the worm. It also attempts to download an update named Vaisef.exe. 1. Trend: WORM_OPASERV.I http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.I (variant of 'A' worm) Size of virus: 12,800 Bytes Discoved: 10/28/02 Encrypted: Yes Alias: Worm.Win32.Opasoft.a 2. Symantec: W32.Opaserv.G.Worm http://securityresponse.symantec.com/avcen...erv.g.worm.html Size of Virus: 12,800 bytes Discovered: 10/29/02 (packed by PECompact) Alias: W32.Opaserv.Worm, WORM_OPASERV.G [Trend], W32/Opaserv-F [Sophos], Win32.Opaserv.G [CA], W32/Opaserv.worm [McAfee] 3. McAfee Sub-Variant: W32/Opaserv.worm.i - Filename: MARCO!.SCR (12,800 or 39,424-40,963 bytes) http://vil.nai.com/vil/content/v_99729.htm Discovered: 10/29/02 4. Sophos: W32/Opaserv-F http://www.sophos.com/virusinfo/analyses/w...32opaservf.html variant of 'A' worm (Detected since 10/02) Alias: Worm.Win32.Opasoft.a, W32.Opaserv.G.Worm 5. Panda: Opaserv.H http://www.pandasoftware.com/virus_info/en...x?idvirus=37512 Discovered: 10/29/02 6. Kaspersky: Worm.Win32.Opasoft.a (MARCO!.SCR) http://www.viruslist.com/eng/viruslist.html?id=52256 Disovered: 10/19/02 - 10/20/02 7. VSantivirus: W32/Opasoft.H http://babelfish.altavista.com/babelfish/u...2Fopasoft-h.htm (packed and encrypted with several tools) Size of virus: 12.800 bytes Discovered: 10/28/02 Alias: Opaserv.H, Win32.Opaserv.G, W32/Opaserv.H, Worm.Win32.Opasoft.a, WORM_OPASERV.G, W32/Opaserv-F 8. Computer Associates: Win32.Opaserv.G http://www3.ca.com/virusinfo/Virus.asp?ID=13469 Last Modified: 12/11/02 9. F-Secure: detected as Opaserv.A http://www.europe.f-secure.com/v-descs/opasoft.shtml ------------------------------------------------------------------- Opaserv: Sixth Major Variant - INSTIT.BAT ------------------------------------------------------------------- Symantec notes, this worm attempts to download updates from www.instituto.com.br, although the site may have been shut down. VSantivirus adds that the worm creates C:GUSTAV.SAP and C:INSTITU.VAT, used when it tries to connect itself to its home site to exchange information. SYMPTOMS: * Existence of files Gustav.sap or Institu.bat in the C: directory, which indicates a local infection. * Existence of the institu file in the C: directory, which may indicate a remote infection. * Existence of the value "instit=C:WINDOWSinstit.bat" or "GustavVED=" in the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun NOTES (Sophos): this worm spreads by copying itself to the Windows folder on drive C: and to network shares as INSTIT.BAT. The worm then adds an entry to WIN.INI on the shared drive so that INSTIT.BAT is run when Windows is started. On the infected computer the worm copies itself to the Windows folder as INSTIT.BAT and adds an entry to the registry at HKLMSoftwareMicrosoftWindowsCurrentVersionRun so that the worm is run when Windows is started. The worm may also attempt to contact several websites in Brazil. 1. Trend: WORM_OPASERV.K http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.K Size of virus: 21,504 Bytes Discovered: 11/11/02 Alias: Win32.Opaserv.H worm, Win32/Opaserv.J.worm, W32/Opaserv.worm.k 2. Symantec: W32.Opaserv.H.Worm http://securityresponse.symantec.com/avcen...erv.h.worm.html Size of Virus: 21,504 bytes (compressed with UPX) Discovered: 11/11/02 Alias: Win32.Opaserv.H [CA], WORM_OPASERV.K [Trend], W32/Opaserv-G [Sophos], W32/Opaserv.worm.k [McAfee] 3. McAfee Sub-Variant: W32/Opaserv.worm.k - Filename: INSTIT.BAT (21,504 bytes) http://vil.nai.com/vil/content/v_99729.htm Discovered: 11/10/02 4. Sophos: W32/Opaserv-G http://www.sophos.com/virusinfo/analyses/w...32opaservg.html Discovered: (not specified) Alias: Worm.Win32.Opasoft 5: Panda: Opaserv.J http://www.pandasoftware.com/virus_info/en...x?idvirus=37586 Discovered: 11/10/02 Alias: W32/Tisints 6. Kaspersky: Worm.Win32.Opasoft.a (INSTIT.BAT) http://www.viruslist.com/eng/viruslist.html?id=52256 7. VSantivirus: W32/Opasoft.I http://babelfish.altavista.com/babelfish/u...2Fopasoft-i.htm (compressed and encrypted with several tools) Size of virus: 21,504 bytes Discovered: 11/11/02 Alias: WORM_OPASERV.H, Worm/OpaSoft.F, W32.Opaserv.H, Opaserv.H, Win32.Opaserv.H, W32/Opaserv.I, Worm.Win32.Opasoft.a, W32/Opaserv-G 8. Computer Associates: Win32.Opaserv.H http://www3.ca.com/virusinfo/Virus.asp?ID=13607 Last Modified: 12/11/02 Alias: WORM_OPASERV.K, W32.Opaserv.H.Worm, Win32/Opaserv.H.Worm, Win32/Opaserv.J, W32/Opaserv.worm.k, Worm.Win32.Opasoft.e 9. F-Secure: Opaserv.E (another "Brasilian" modification) http://www.europe.f-secure.com/v-descs/opasoft.shtml packed with UPX and VGCrypt Discovered: middle November 2002 Alias: Worm.Win32.Opasoft.E, Opasoft.E ------------------------------------------------------------------- Opaserv: Seventh Major Variant - MQBKUP and MSTASK (.EXE) ------------------------------------------------------------------- NOTE: WORM_OPASERV.H (Trend) is a variant of WORM_OPASERV.A and propagates via shared network drives. Its destructive payloads are executed when the system date is between December 24 to 31 or when the year is greater than 2002. This worm deletes files, overwrites the boot sector and destroys the CMOS, a critical system element which holds hardware configuration and initialization settings. These payloads leave infected systems practically unusable. This worm runs on all Windows platforms. SYMPTOMS: -- Presence of any of the following: * %WinDir%MQBKUP.EXE * %WinDir%MSTASK.EXE * %WinDir%MSBIND.DLL * %WinDir%MSCAT32.DLL * C:WIN.INI (when machine remotely infected) -- Existence of either of the following Registry key values: * HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun "mqbkup = %windows%mqbkup.exe" or "mstask=%windows%mstask.exe" -- A new section in the WIN.INI file: [msappfont] value=%value% font=%value% style=%value% with lines that begin with "value=," "fonts=," and "styles=", where the worm places corresponding values based on the ASCII equivalent of the current "day" / "month" plus 30. -- Considerable port 137 traffic (UDP) originating from infected machine(s). NOTES (Trend): This is a destructive, memory-resident worm that usually arrives as a PE Compact compressed file. Upon execution, it drops the following files in the default Windows folder and then deletes the original file that was executed: * MSBIND.DLL * MSCAT32.DLL * MQBKUP.EXE or MSTASK.EXE – a copy of the worm TECHNICAL DETAILS (Trend, Panda, Sophos): This destructive worm checks if the current date is between December 24 and December 31 or if the year is higher than 2002. It also checks its WIN.INI execution markers if at least two days have passed since its last execution. If these conditions hold, this worm proceeds to carry out the following routines: 1. It creates the file, C:Msdos.sys, which overwrites the original Msdos.sys. 2. It modifies the critical configuration file, C:Autoexec.bat, so that it contains the execution command for MSLICENF.COM. This file contains code designed to infect the boot sector of the infected system. Sophos detects this file as Troj/Qzap-248. 3. It creates C:Boot.ini, which contains bootloader settings. 4.It also creates C:Bootsect.dos, which contains an infected boot sector image. Sophos detects this file as Troj/Qzap-249. 5. It uses a C:Boot.exe to restart the infected system. (Note that Trend detects the DOS files Boot.exe, MSLICENF.COM, and Bootsect.dos dropped by the 'H' and 'M' opaserv worms as QZAP248.A). When the system is restarted using the dropped file, BOOT.EXE, and under the conditions described above, the following correspondingly take place: 1. If the current operating system is Windows 95 or 98, the infected system executes MSLICENF.COM as indicated by the modified AUTOEXEC.BAT in DOS mode. 2. If the system runs on Windows ME, this worm enables the real DOS mode by patching C:IO.Sys, C:Command.Com, and C:WindowsSystemRegenv32.exe. When this worm executes BOOT.EXE, it also carries out the following destructive routines: * It overwrites the boot sector of the infected system. * It destroys the CMOS. * It deletes files from the hard drive. This message simulates a warning about the version of the Windows operating system installed on the affected computer: NOTICE: Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act Your unauthorized license has been revoked For more information, please call us at: NOPIRACY If you are outside the USA, please look up the correct contact information on our website, at: www.bsa.org Business Software Alliance Promoting a safe & legal online world After displaying this message, the worm deletes the content of the computer's CMOS (BIOS) and hard disk. (Sophos) Depending on the version of the operating system, W32/Opaserv-H might attempt to modify command.com, io.sys and regenv32.exe which renders the computer unable to boot up and displays garbage instead. 1. Trend: WORM_OPASERV.H http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.H (all of this Trend family are PE Compact compressed) Size of virus: 28,931 Bytes Discovered: 1/31/03 Alias: I-Worm/Opas.H, W32/Opaserv.worm, Trojan.Win32.KillWin.m.1 Sub-Variants: WORM_OPASERV.M http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.M Size of virus: 20,480 Bytes Discovered: 1/2/03 Filename: MQBKUP.EXE or MSTASK.EXE Alias: W32/Opaserv.worm.m, Win32/Opaserv.M.worm, W32.Opaserv.K.Worm, W32/Opaserv-I, Win32.Opaserv.I WORM_OPASERV.N http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.N (formerly detected by Trend as TROJ_WINKILL.A) Size of virus: 17,000 – 20,000 Bytes Discovered: 1/17/03 Filename: MSTASK.EXE Alias: W32/Opaserv-H, Win32/Opaserv.M.worm, Trojan.Win32.KillWin.m.2, I-Worm/Opas.N, W32/Opaserv.worm.G, W32/Opaserv.worm WORM_OPASERV.R http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.R Size of virus: 17,408 Bytes Discovered: 1/17/03 Filename: MQBKUP.EXE slightly modified version of WORM_OPASERV.H Alias: W32/Opaserv.worm.r, W32/Opaserv.worm.O, Trojan.Win32.OpaKill.c, Win32/Opaserv.M.worm, W32/Opaserv-K, Win32.Opaserv.R QZAP248.A http://www.trendmicro.com/vinfo/virusencyc...VName=QZAP248.A This is the detection for several DOS files dropped by the 'H' and 'M' worms. Size of virus: 512 Bytes Discovered: 1/5/03 Alias: Trojan.KillBoot.b, Trojan:DOS/KillBoot.B, Troj/Qzap-249, Trojan.Win32.OpaKill, Troj/Qzap-248, Opaserv.I, Opas 2. Symantec: W32.Opaserv.K.Worm http://securityresponse.symantec.com/avcen...erv.k.worm.html Filename: MQBKUP.EXE or MSTASK.EXE (see comment below) (packed by PECompact) Discovered: 12/24/02 (updated 1/9/03) Size of Virus: 17,408 bytes Alias: W32/Opaserv.worm.m [McAfee], W32/Opaserv.worm.n [McAfee], W32/Opaserv-H [Sophos], W32/Opaserv-I [Sophos], W32/Opaserv-L [Panda], Opaserv.F [F-Prot], WORM_OPASERV.M [Trend] According to Symantec: Recently, a new variant of the W32.Opaserv.K.Worm was discovered. The differences between this new variant and the old one are: * File name is Mmstask.exe, instead of Mqbkup.exe. * Registry key that the new variant adds is Mstask or Mstasksys. * File size is 20,480 bytes. Symantec detects the new variant by the same name W32.Opaserv.K.Worm. 3. McAfee: W32/Opaserv.worm.m http://vil.nai.com/vil/content/v_99924.htm Filename: MQBKUP.EXE (17,408 bytes) Discovered: 12/20/02 Alias: TROJ_WINKILL.A (Trend), Trojan.Win32.KillWin (AVP), W32/Opaserv.L (Panda), Win32.Opaserv.I (CA) Sub-Variants: W32/Opaserv.worm.h - Filename: MQBKUP.EXE (28,931 bytes) W32/Opaserv.worm.n - Filename: MSTASK.EXE (20,480 bytes) W32/Opaserv.worm.r - Filename: MQBKUP.EXE (17,408 bytes) http://vil.nai.com/vil/content/v_99729.htm 4. Sophos: W32/Opaserv-H http://www.sophos.com/virusinfo/analyses/w...32opaservh.html Size of virus: 18853 bytes Filename - MSTASK.EXE Sub-Variants: W32/Opaserv-K http://www.sophos.com/virusinfo/analyses/w...32opaservk.html Filename - MQBKUP.EXE NOTE: 'H' and 'K' drop Troj/Qzap-248 and Troj/Qzap-249 W32/Opaserv-I http://www.sophos.com/virusinfo/analyses/w...32opaservi.html Discovered: (unspecified) Filename - MQBKUP.EXE Alias: Trojan.Win32.KillWin.m, W95/Opaserv.worm.F, W32/Opaserv.worm.m, W32.Opaserv.K.Worm, TROJ_WINKILL.A 5. Panda: Opaserv.L http://www.pandasoftware.com/virus_info/en...x?idvirus=37767 Filename - MQBKUP.EXE (packed by PECompact v1.6) Size of virus: 17,408 bytes Discovered: 12/21/02 Alias: Win32.Killwin.m Activation Date: on or after 12/24/02 Sub-Variants: Opaserv.M http://www.pandasoftware.com/virus_info/en...x?idvirus=37793 Filename - MSTASK.EXE Discovered: 12/21/02 Opaserv.O http://www.pandasoftware.com/virus_info/en...x?idvirus=37982 Filename - MQBKUP.EXE (packed by PECompact) Size of virus: 17,408 bytes Discovered: 1/14/03 6. VSantivirus: W32/Opasoft.J http://babelfish.altavista.com/babelfish/u...2Fopasoft-j.htm executes "MQBKUP.EXE" Size of virus: 17,408 bytes Discovered: 12/20/02 Alias: Worm/OpaSoft.G, W32.Opaserv.G, W32/Opaserv.worm.m, W32.Opaserv.J.Worm, TROJ_WINKILL.A, Trojan.Win32.KillWin, W32/Opaserv.L, Win32.Opaserv.I, Trojan.Win32.KillWin.m.1 Sub-Variants: W32/Opasoft.K http://babelfish.altavista.com/babelfish/u...2Fopasoft-k.htm executes "MSTASK.EXE", but this version 'K' does not have a destructive payload like the others Discovered: 12/27/02 Alias: Worm/OpaSoft.H, W32.Opaserv.H, W32/Opaserv.worm.n, W32.Opaserv.K.Worm, W32/Opaserv.M, Win32.Opaserv.J, Trojan.Win32.KillWin.m.2 W32/Opasoft.M http://babelfish.altavista.com/babelfish/u...2Fopasoft-m.htm executes "MSTASK.EXE" Size of virus: 20,480 bytes Discovered: 12/27/02 Alias: W32/Opaserv.worm.n, Trojan.Win32.KillWin.m.2, W32/Opaserv-H, W32/Opaserv.M 7. Computer Associates: Win32.Opaserv.I http://www3.ca.com/virusinfo/Virus.asp?ID=13927 Filename: MQBKUP.EXE Last Modified: 12/29/02 Alias: Win32/OpaServ.17408.Worm, W32.Opaserv.K.Worm, W32/Opaserv.m.worm. Sub-Variant: Win32.Opaserv.L http://www3.ca.com/virusinfo/Virus.asp?ID=13931 Filename: MSTASK.EXE Last Modified: 12/31/02 Alias: Win32/OpaServ.17408.B.Worm, W32/Opaserv.worm.n, TROJ_WINKILL.A 8. F-Secure: Opaserv.F http://www.europe.f-secure.com/v-descs/opasoft.shtml Filename: MQBKUP.EXE Discovered: end of December 2002 Alias: W32/Opaserv.worm.F, Trojan.Win32.KillWin.m, W32.Opaserv.K.Worm Sub-Variants: http://www.europe.f-secure.com/v-descs/opasoft.shtml Opaserv.G Filename: MSTASK.EXE Discovered: end of December 2002 Alias: W32/Opaserv.worm.G, Trojan.Win32.KillWin.m, W32.Opaserv.M.Worm Opaserv.O packed with PECompact Filename: MQBKUP.EXE Discovered: beginning of January 2003 Alias: Trojan.Win32.KillWin.n ------------------------------------------------------------------- Opaserv: Eighth Major Variant - SRV32.EXE ------------------------------------------------------------------- To serve as its infection marker, this malware creates the registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSRV32 "Autostart Technique" The worm also adds this registry entry so that its copy executes on the next Windows startup: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices "Srv32Old=(the executed file)" "Srv32=%Windows%SRV32.EXE" On remote machines, the worm creates a PUT.INI file in the C: directory and copies the contents of %Windows%win.ini to this file. It adds this entry in the [windows] section of a put.ini file: "run = C:%Windows%SRV32.EXE" -- next, it copies the contents of put.ini to the win.ini file. The changes allow SRV32.EXE to execute on the next Windows startup. It also copies itself to the Windows directory of the remote computers as SRV32.EXE. (Sophos) it will attempt to remove older variants of the Opaserv worm by removing the following files from the Windows folder: * alevir.exe * scrsvr.exe * brasil.exe The following registry entries will also be removed: * HKLMSoftwareMicrosoftWindowsCurrentVersionRunSCRSVR * HKLMSoftwareMicrosoftWindowsCurrentVersionRunALEVIR * HKLMSoftwareMicrosoftWindowsCurrentVersionRunBRASIL TECHNICAL DETAILS (Trend): After the worm modifies the registry, it creates a mutex named Srv3231415 so that only one copy of itself runs in memory. It registers itself as a system service on infected systems running Windows 9x, which hides the process from the Close Dialog box that displays when the user of the infected machine hits the CTRL+ALT+DEL keys. Network Propagation: After the initialization process, the worm creates three threads that execute concurrently. Each thread executes one routine of this worm and uses a separate path of execution. The Infect Thread: the first thread that the worm creates, which listens for connections from other machines on the same network domain as the infected system. The thread enables infection of other systems where it has write access in the network. On remote machines, this worm creates a PUT.INI file in the C: directory and copies the contents of %Windows%win.ini to this file. It adds this entry in the [windows] section of a put.ini file: "run = C:%Windows%SRV32.EXE" ". Next, it copies the contents of put.ini to the win.ini file, which allows SRV32.EXE to execute on the next Windows startup. It also copies itself to the Windows directory of the remote computers as SRV32.EXE. The worm utilizes the Share Level Password exploit to infect the network shares. This allows the worm to access password-protected shares in Windows 95, 98, ME systems. More information and patch to this exploit, are provided in the Microsoft article entitled, Share Level Password' Vulnerability. The Search Thread: the second thread that the worm creates, which searches for machines in the same network domain that have shared C: drives. It uses SMB (Server Message Block Protocol) commands to access the shared drives. Once it has received a reply for the share access request, the first thread connects and the second thread continues to scan the domain for other possible shares to infect. The Update Thread: the third thread is responsible for obtaining an updated copy of the worm from a certain Web site. It is also capable of processing commands from the remote Web site. Then, it sends this information using the data stored on the two local files SRV32.DAT and SRVOUT.DAT in the C: folder. The files are encrypted to prevent the user of the infected system from tampering or viewing the data. The worm repeats some of the functions in the threads in an infinite loop making the process memory-resident. 1. Trend: WORM_OPASERV.O http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.O Alias: W32/Opaserv.worm.gen, Backdoor.Vecnadoor, Backdoor:Win32/Vecnadoor, W32/Opaserv.worm.o, Win32.Opaserv.O Size of virus: 18,432 Bytes (compressed); 27,136 Bytes (uncompressed) Discovered: 1/17/03 Sub-Variant: WORM_OPASERV.Q http://www.trendmicro.com/vinfo/virusencyc...=WORM_OPASERV.Q Size of virus: 18,432 Bytes Discovered: 1/30/03 Alias: W32/Opaserv-J, W32/Opaserv.worm, Worm.Win32.Opasoft.f, I-Worm/Opas.Q, W32/Opaserv.worm.N 2. Symantec: W32.Opaserv.J.Worm http://securityresponse.symantec.com/avcen...erv.j.worm.html Size of Virus: 18,432 bytes Discovered: 12/20/02 3. McAfee Sub-Variants: W32/Opaserv.worm.o - Filename: SRV32.EXE (18,432 bytes) W32/Opaserv.worm.q - Filename: SRV32.EXE (18,432 bytes) W32/Opaserv.worm.s - Filename: SRV32.EXE (18,432 bytes) W32/Opaserv.worm.t - Filename: SRV32.EXE (18,432 bytes) W32/Opaserv.worm.u - Filename: SRV32.EXE (18,432 bytes) W32/Opaserv.worm.v - Filename: SRV32.EXE (18,432 bytes) 4. Sophos: W32/Opaserv-J http://www.sophos.com/virusinfo/analyses/w...32opaservj.html Alias: W32/Opaserv.worm.gen, W32.opaserv.K.Worm, WORM_OPASERV_M Discovered: (unspecified) Sub-Variants: W32/Opaserv-K http://www.sophos.com/virusinfo/analyses/w...32opaservk.html (Detected by Sophos Anti-Virus since January 2003) NOTE: W32/Opaserv-K may drop and run the files C:mslicenf.com and C:bootsect.dos, detected by Sophos Anti-Virus as Troj/Qzap-248 and Troj/Qzap-249 respectively. Troj/Qzap-248: http://www.sophos.com/virusinfo/analyses/t...rojqzap248.html Troj/Qzap-249: http://www.sophos.com/virusinfo/analyses/t...rojqzap249.html W32/Opaserv-L http://www.sophos.com/virusinfo/analyses/w...32opaservl.html Alias: Worm.Win32.Opasoft.G, W32/Opaserv.worm.gen 5. Panda: Opaserv.N http://www.pandasoftware.com/virus_info/en...x?idvirus=37958 Size of virus: 18,432 bytes Discovered: 1/14/03 6. F-Secure: Opaserv.N http://www.europe.f-secure.com/v-descs/opasoft.shtml packed with ASPack Discovered: beginning of January 2003 Alias: Worm.Win32.Opasoft.f -- "But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13)
Randy Bell Premium join:2002-02-24 Santa Clara, CA	to forum · permalink · 2003-03-10 08:09:57 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3	Most worthy and hopefully will help a lot of people understand this far too common worm. Blake
	to forum · permalink · 2003-03-10 10:21:03 ·

Broadband Tech > Security > Security > Opaserv - A Complete Guide

Re: Opaserv - A Complete Guide