Threat Description

Opaserv

Details

Aliases:Opaserv, Worm_Win32_Opasoft, Worm.Win32.Opasoft, I-Worm.Opasoft, W95/Scrup.worm, W32.Opaserv.Worm, Opasoft, Scrup
Category: Malware
Type:
Platform: W32

Summary



Opasoft, also known as "Opaserv"is a network worm that has a backdoor routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global outbreak.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry's auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 ScrSvr = %worm name%

Opasoft then deletes its original file (from where it was started).

In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned:

  * current subnet of the infected computer (aa.bb.cc ??)
 * the two nearest subnets of the currently infected computer 
	(aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)
 * selects subnets randomly (excluding those where scanning is disabled)

If while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.

When "reply data" is received, Opasoft checks the special field that it contains. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.

During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:

  • sets a connection with the \\hostname\C resource, where "hostname" = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its "reply data") during the scan
  • if the resource is password-protected the worm runs through all possible "one symbol" passwords - conducting a "brute-force" attack
  • if connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed:
     WINDOWS\scrsvr.exe
    
  • Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:
     C:\TMP.INI
    
  • the worm adds auto run command for the dropped EXE file to C:\TMP.INI file the wormand copies it back to the victim computer. To receive the packets from the remote computer two files appear on the victim machine:
    \WINDOWS\scrsvr.exe - a copy of the Opasoft worm
     \WINDOWS\win.ini - A Windows INI file which contains the auto-run command 
     (to "auto-run" the Opasoft worm)
    

The second file, WIN.INI, results in Opasoft gaining control of the victim computer upon system restart.

To get passwords needed to gain access to victim machines, the worm uses the security breach "share level password exploit". For a detailed description of this exploit please click the following page: http://www.nsfocus.com/english/homepage/sa_05.htm

The worm programmatically "suggests" a password field with only one character length to the victim host. When there is a one-byte password "suggested", the host will check only the first byte of the password. In case the first byte is correct, the authentication process will be successfully completed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

The backdoor routine goes to the www.opasoft.com WEB-site and performs the following actions:

  * downloads and executes its latest version (if there is one)
 * downloads and processes script files placed at this site

New worm versions are downloaded to the file "scrupd.exe". This file is then run, and replaces the existing worm copy.

While processing the backdoor uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.

Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.

To avoid double twice on the same machine the worm creates a "Windows mutex" under the "ScrSvr31415" name.

Win9x machines are infectable while the infectinon of WinNT-based machines is highly unlikely and almost impossible.

One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.

The worm caused a global outbreak and hit many Win9x systems because of following reasons:

  * it spreads using the standard NETBIOS protocol
 * the "\\hostname\C" resource name is the default name on 
	opening a share on C: drive
 * there is no request for a password on share opening
 * many users don't pay enough attention to password length and security

To get rid of the worm and to avoid reinfection it is necessary to:

  * disable file sharing, or apply safe enough password to opened shares
 * delete infected EXE file
 * remove worm's "run" commands from WIN.INI file and system registry (see above)

Variant:Opasoft.A (Worm.Win32.Opasoft.a, Brasil)

Opasoft.a, also known as "Brasil" is a new variant of the "Opasoft" worm that appeared in the middle of October 2002.

The differences are:

  • The original "Opasoft.a" worm is not compressed. The "Brasil" variant is encrypted by the "PCPEC" PE EXE file encryption utility and then compressed by the "UPX" PE EXE files compression tool.
  • The text strings are patched. For example, the following strings are replaced:
    • "ScrSvr", "ScrSin" -> "Brasil"
    • "ScrSout" -> "Brasil!"
    • "scrupd" -> "puta!!"
    • "www.opasoft.com" -> www.n3t.com.br

As a result the "Brasil" modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.

The Opasoft.a worm installs itself to the Windows directory under the name "brasil.exe" or "brasil.pif" (depending on the "Brasil" patch variant) and registers this file in the auto-run registry

Key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 Brasil = %worm name%

While infecting remote computers the Opasoft.a worm uploads itself under the "brasil.exe" or "brasil.pif" name, and writes a corresponding string to a remote WIN.INI file.

The backdoor routine goes to the www.n3t.com.br WEB-site and performs the following actions:

  * it downloads and executes its new version (if there is one) from this site
 * it downloads and processes script files placed at this site

There exist a few minor variants of Opaserv worm that install themselves to Windows with alevir.exe or marco!.scr file names. These worm variants are detected as Opaserv.A and they have the same functionalities as the original worm variant.


Variant:Opaserv.E (Worm.Win32.Opasoft.E, Opasoft.E)

This variant appeared in the middle of November 2002. It is packed with UPX and VGCrypt file compressors. The worm installs itself to system as INSTIT.BAT file. It is another "Brasilian" modification of Opaserv worm.


Variant:Opaserv.F (W32/Opaserv.worm.F, Trojan.Win32.KillWin.m, W32.Opaserv.K.Worm)

In the end of December 2002 there appeared a new variant of Opaserv worm that carried a trojan inside its body. The new variant installs itself as MQBKUP.EXE to Windows directory. The embedded trojan is a time bomb that prevents a computer or its operating system from starting when the payload is activated.


Variant:Opaserv.G (W32/Opaserv.worm.G, Trojan.Win32.KillWin.m, W32.Opaserv.M.Worm)

Also in the end of December 2002 there appeared another new variant of Opaserv worm that also carried a trojan inside its body. The new variant installs itself as MSTASK.EXE to Windows directory. The embedded trojan is a time bomb that prevents a computer or its operating system from starting when the payload is activated.


Variant:Opaserv.N (Worm.Win32.Opasoft.f)

In the beginning of January 2003 there appeared a new variant of Opaserv worm. That variant was packed with ASPack file compressor and was installing itself to system as SRV32.EXE file. The new variant had the functionality to remove some older versions of Opaserv worm from an infected system by deleting the following files and removing autostartup Registry keys for them:

c:\windows\scrsvr.exe
 c:\windows\alevir.exe
 c:\windows\brasil.exe

The Opaserv.N variant is a close variant of the original Opaserv.A worm, however it contains a different URL.


Variant:Opaserv.O (Trojan.Win32.KillWin.n)

In the beginning January 2003 there also appeared another new variant of Opaserv worm. The new variant was packed with PECompact file compressor and was installing itself to system as MQBKUP.EXE file. The Opaserv.O variant was a close variant of Opaserv.G worm and it also had an embedded trojan. The trojan was a time bomb that could make a computer unbootable when the payload is activated.

The sign that the payload has been activated is the following message that is displayed when an infected computer starts:

NOTICE:
 Illegal Microsoft Windows license detected!
 You are in violation of the Digital Millennium Copyright Act!
 Your unauthorized license has been revoked.

 For more information, please call us at:
 1-888-NOPIRACY

 If you are outside the USA, please look up the correct contact information
 on our website, at:
 www.bsa.org
 
 Business Software Alliance
 Promoting a safe & legal online world.

The payload causes damage to data on an affected hard drive.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More