Threat Descriptions

Opaserv

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

Opaserv, Worm_Win32_Opasoft, Worm.Win32.Opasoft, I-Worm.Opasoft, W95/Scrup.worm, W32.Opaserv.Worm, Opasoft, Scrup

Summary

Opasoft, also known as "Opaserv"is a network worm that has a backdoor routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global outbreak.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry's auto-run key: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%

Opasoft then deletes its original file (from where it was started).

In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned: 

* current subnet of the infected computer (aa.bb.cc ??)

 * the two nearest subnets of the currently infected computer
	(aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)

 * selects subnets randomly (excluding those where scanning is disabled)

If while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.

When "reply data" is received, Opasoft checks the special field that it contains. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.

During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:

  • sets a connection with the \\hostname\C resource, where "hostname" = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its "reply data") during the scan
  • if the resource is password-protected the worm runs through all possible "one symbol" passwords - conducting a "brute-force" attack
  • if connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed: 
     WINDOWS\scrsvr.exe
  • Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name: 
    
C:\TMP.INI
  • the worm adds auto run command for the dropped EXE file to C:\TMP.INI file the wormand copies it back to the victim computer. To receive the packets from the remote computer two files appear on the victim machine: 
    \WINDOWS\scrsvr.exe - a copy of the Opasoft worm
\WINDOWS\win.ini - A Windows INI file which contains the auto-run command
 (to "auto-run" the Opasoft worm)

The second file, WIN.INI, results in Opasoft gaining control of the victim computer upon system restart.

To get passwords needed to gain access to victim machines, the worm uses the security breach "share level password exploit". For a detailed description of this exploit please click the following page: https://www.nsfocus.com/english/homepage/sa_05.htm

The worm programmatically "suggests" a password field with only one character length to the victim host. When there is a one-byte password "suggested", the host will check only the first byte of the password. In case the first byte is correct, the authentication process will be successfully completed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: https://www.microsoft.com/technet/security/bulletin/MS00-072.asp

The backdoor routine goes to the www.opasoft.com WEB-site and performs the following actions: 

* downloads and executes its latest version (if there is one)

 * downloads and processes script files placed at this site

New worm versions are downloaded to the file "scrupd.exe". This file is then run, and replaces the existing worm copy.

While processing the backdoor uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.

Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.

To avoid double twice on the same machine the worm creates a "Windows mutex" under the "ScrSvr31415" name.

Win9x machines are infectable while the infectinon of WinNT-based machines is highly unlikely and almost impossible.

One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.

The worm caused a global outbreak and hit many Win9x systems because of following reasons: 

* it spreads using the standard NETBIOS protocol

 * the "\\hostname\C" resource name is the default name on
	opening a share on C: drive

 * there is no request for a password on share opening

 * many users don't pay enough attention to password length and security

To get rid of the worm and to avoid reinfection it is necessary to: 

* disable file sharing, or apply safe enough password to opened shares

 * delete infected EXE file

 * remove worm's "run" commands from WIN.INI file and system registry (see above)

Variant:Opasoft.A (Worm.Win32.Opasoft.a, Brasil)

Opasoft.a, also known as "Brasil" is a new variant of the "Opasoft" worm that appeared in the middle of October 2002.

The differences are:

  • The original "Opasoft.a" worm is not compressed. The "Brasil" variant is encrypted by the "PCPEC" PE EXE file encryption utility and then compressed by the "UPX" PE EXE files compression tool.
  • The text strings are patched. For example, the following strings are replaced:
    • "ScrSvr", "ScrSin" -> "Brasil"
    • "ScrSout" -> "Brasil!"
    • "scrupd" -> "puta!!"
    • "www.opasoft.com" -> www.n3t.com.br

As a result the "Brasil" modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.

The Opasoft.a worm installs itself to the Windows directory under the name "brasil.exe" or "brasil.pif" (depending on the "Brasil" patch variant) and registers this file in the auto-run registry

Key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Brasil = %worm name%

While infecting remote computers the Opasoft.a worm uploads itself under the "brasil.exe" or "brasil.pif" name, and writes a corresponding string to a remote WIN.INI file.

The backdoor routine goes to the www.n3t.com.br WEB-site and performs the following actions: 

* it downloads and executes its new version (if there is one) from this site

 * it downloads and processes script files placed at this site

There exist a few minor variants of Opaserv worm that install themselves to Windows with alevir.exe or marco!.scr file names. These worm variants are detected as Opaserv.A and they have the same functionalities as the original worm variant.

Variant:Opaserv.E (Worm.Win32.Opasoft.E, Opasoft.E)

This variant appeared in the middle of November 2002. It is packed with UPX and VGCrypt file compressors. The worm installs itself to system as INSTIT.BAT file. It is another "Brasilian" modification of Opaserv worm.

Variant:Opaserv.F (W32/Opaserv.worm.F, Trojan.Win32.KillWin.m, W32.Opaserv.K.Worm)

In the end of December 2002 there appeared a new variant of Opaserv worm that carried a trojan inside its body. The new variant installs itself as MQBKUP.EXE to Windows directory. The embedded trojan is a time bomb that prevents a computer or its operating system from starting when the payload is activated.

Variant:Opaserv.G (W32/Opaserv.worm.G, Trojan.Win32.KillWin.m, W32.Opaserv.M.Worm)

Also in the end of December 2002 there appeared another new variant of Opaserv worm that also carried a trojan inside its body. The new variant installs itself as MSTASK.EXE to Windows directory. The embedded trojan is a time bomb that prevents a computer or its operating system from starting when the payload is activated.

Variant:Opaserv.N (Worm.Win32.Opasoft.f)

In the beginning of January 2003 there appeared a new variant of Opaserv worm. That variant was packed with ASPack file compressor and was installing itself to system as SRV32.EXE file. The new variant had the functionality to remove some older versions of Opaserv worm from an infected system by deleting the following files and removing autostartup Registry keys for them: 

c:\windows\scrsvr.exe
c:\windows\alevir.exe
c:\windows\brasil.exe

The Opaserv.N variant is a close variant of the original Opaserv.A worm, however it contains a different URL.

Variant:Opaserv.O (Trojan.Win32.KillWin.n)

In the beginning January 2003 there also appeared another new variant of Opaserv worm. The new variant was packed with PECompact file compressor and was installing itself to system as MQBKUP.EXE file. The Opaserv.O variant was a close variant of Opaserv.G worm and it also had an embedded trojan. The trojan was a time bomb that could make a computer unbootable when the payload is activated.

The sign that the payload has been activated is the following message that is displayed when an infected computer starts: 

NOTICE:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
 For more information, please call us at:
1-888-NOPIRACY
 If you are outside the USA, please look up the correct contact information
on our website, at:
www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

The payload causes damage to data on an affected hard drive.