Opasoft, also known as "Opaserv"is a network worm that has a
backdoor routine. The worm spreads over local and wide-area
networks using MS Windows NETBIOS services. The worm itself is a
Windows PE EXE file with a length of about 28KB.
The Opasoft worm was first detected at the end of September 2002
- by the beginning of October 2002 it had already caused a global
outbreak.
Technical Information
The worm installs itself to the Windows directory with the name
"scrsvr.exe" and registers this file in the system registry's
auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%
Opasoft then deletes its original file (from where it was
started).
In order to find victim computers Opasoft scans subnets for port
137 (NETBIOS Name Service). IP addresses of the following
networks are scanned:
* current subnet of the infected computer (aa.bb.cc ??)
* the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)
* selects subnets randomly (excluding those where scanning is disabled)
If while searching (scanning) Opasoft happens upon a responding
IP address (of an actual computer), the worm then scans the two
nearest subnets of that IP address.
When "reply data" is received, Opasoft checks the special field
that it contains. If it shows that the given computer has the
service "File and Print Sharing" open, Opasoft begins its
infection procedure on that computer as a remote host.
During infection, Opasoft sends, via port 139 (NETBIOS Session
Service) special SMB - packets that transmit the following
commands:
1. sets a connection with the \\hostname\C resource, where
"hostname" = the name of the victim computer which is defined
when the victim computer answers Opasoft (by sending its "reply
data") during the scan
2. if the resource is password-protected the worm runs through
all possible "one symbol" passwords - conducting a "brute-force"
attack
3. if connection is successful, Opasoft transmits its EXE file -
during transmission the full name of the destination file
containing the code (exe file) is revealed:
WINDOWS\scrsvr.exe
4. Opasoft then reads the Windows\win.ini file on the victim
machine and copies (saves) it to the local disk (of the remote
computer) under the name:
C:\TMP.INI
5. the worm adds auto run command for the dropped EXE file to
C:\TMP.INI file the wormand copies it back to the victim computer
To receive the packets from the remote computer two files appear
on the victim machine:
\WINDOWS\scrsvr.exe - a copy of the Opasoft worm
\WINDOWS\win.ini - A Windows INI file which contains the auto-run command (to "auto-run" the Opasoft worm)
The second file, WIN.INI, results in Opasoft gaining control of
the victim computer upon system restart.
To get passwords needed to gain access to victim machines, the
worm uses the security breach "share level password exploit". For
a detailed description of this exploit please click the following
page:
http://www.nsfocus.com/english/homepage/sa_05.htm
The worm programmatically "suggests" a password field with only
one character length to the victim host. When there is a one-byte
password "suggested", the host will check only the first byte of
the password. In case the first byte is correct, the
authentication process will be successfully completed. As a
result it is enough to try only all one-byte passwords for the
attacker to exploit vulnerable Win9x machines. The patch for this
vulnerability is available at:
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
The backdoor routine goes to the www.opasoft.com WEB-site and
performs the following actions:
* downloads and executes its latest version (if there is one)
* downloads and processes script files placed at this site
New worm versions are downloaded to the file "scrupd.exe". This
file is then run, and replaces the existing worm copy.
While processing the backdoor uses its data files: "ScrSin.dat"
and "ScrSout.dat". These files are encrypted with a strong
crypto-algorythm.
Because the server at www.opasoft.com is down, it is not possible
to get more information about this backdoor routine.
To avoid double twice on the same machine the worm creates a
"Windows mutex" under the "ScrSvr31415" name.
Win9x machines are infectable while the infectinon of WinNT-based
machines is highly unlikely and almost impossible.
One of worm versions writes log data about scanned and infected
machines to the "ScrLog" and "ScrLog2" files.
The worm caused a global outbreak and hit many Win9x systems
because of following reasons:
* it spreads using the standard NETBIOS protocol
* the "\\hostname\C" resource name is the default name on opening a share on C: drive
* there is no request for a password on share opening
* many users don't pay enough attention to password length and security
To get rid of the worm and to avoid reinfection it is necessary
to:
* disable file sharing, or apply safe enough password to opened shares
* delete infected EXE file
* remove worm's "run" commands from WIN.INI file and system registry (see above)
F-Secure Anti-Virus detects Opaserv worm with the following
updates:
[FSAV_Database_Version]
Version=2002-10-01_02
Opasoft.a, also known as "Brasil" is a new variant of the
"Opasoft" worm that appeared in the middle of October 2002.
The differences are:
1. The original "Opasoft.a" worm is not compressed. The "Brasil"
variant is encrypted by the "PCPEC" PE EXE file encryption
utility and then compressed by the "UPX" PE EXE files compression
tool.
2. The text strings are patched. For example, the following
strings are replaced:
"ScrSvr", "ScrSin" -> "Brasil"
"ScrSout" -> "Brasil!"
"scrupd" -> "puta!!"
"www.opasoft.com" -> www.n3t.com.br
As a result the "Brasil" modification behaves a bit differently,
however the spreading and backdoor routines are exactly the same
as with the original worm variant.
The Opasoft.a worm installs itself to the Windows directory under
the name "brasil.exe" or "brasil.pif" (depending on the "Brasil"
patch variant) and registers this file in the auto-run registry
key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Brasil = %worm name%
While infecting remote computers the Opasoft.a worm uploads
itself under the "brasil.exe" or "brasil.pif" name, and writes a
corresponding string to a remote WIN.INI file.
The backdoor routine goes to the www.n3t.com.br WEB-site and
performs the following actions:
* it downloads and executes its new version (if there is one) from this site
* it downloads and processes script files placed at this site
F-Secure Anti-Virus detects the 'Brasil' variant of Opaserv worm
with the following updates:
[FSAV_Database_Version]
Version=2002-10-21_03
There exist a few minor variants of Opaserv worm that install
themselves to Windows with alevir.exe or marco!.scr file names.
These worm variants are detected as Opaserv.A and they have the
same functionalities as the original worm variant.
Disinfection Tool
F-Secure provides the special tool to disinfect all known Opaserv
worm variants. The tool and disinfection instructions are
available on our ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-opasrv.zip
This variant appeared in the middle of November 2002. It is
packed with UPX and VGCrypt file compressors. The worm installs
itself to system as INSTIT.BAT file. It is another "Brasilian"
modification of Opaserv worm.
Disinfection Tool
F-Secure provides the special disinfection tool to clean infected
computers from Opaserv worm. The tool is called OpasTool and it
can be downloaded from our ftp site:
ftp://ftp.europe.f-secure.com/anti-virus/tools/opastool.zip
Step-by-step removal instructions can be found here (the
instructions are also included into the above mentioned ZIP
archive together with the tool):
ftp://ftp.europe.f-secure.com/anti-virus/tools/opastool.txt
| VARIANT: | Opaserv.F |
| ALIAS: | W32/Opaserv.worm.F, Trojan.Win32.KillWin.m, W32.Opaserv.K.Worm |
In the end of December 2002 there appeared a new variant of
Opaserv worm that carried a trojan inside its body. The new
variant installs itself as MQBKUP.EXE to Windows directory. The
embedded trojan is a time bomb that prevents a computer or its
operating system from starting when the payload is activated.
| VARIANT: | Opaserv.G |
| ALIAS: | W32/Opaserv.worm.G, Trojan.Win32.KillWin.m, W32.Opaserv.M.Worm |
Also in the end of December 2002 there appeared another new
variant of Opaserv worm that also carried a trojan inside its
body. The new variant installs itself as MSTASK.EXE to Windows
directory. The embedded trojan is a time bomb that prevents a
computer or its operating system from starting when the payload
is activated.
F-Secure Anti-Virus detects Opaserv.G with the updates published
on December 27th, 2002:
[FSAV_Database_Version]
Version=2002-12-27_04
In the beginning of January 2003 there appeared a new variant of
Opaserv worm. That variant was packed with ASPack file compressor
and was installing itself to system as SRV32.EXE file. The new
variant had the functionality to remove some older versions of
Opaserv worm from an infected system by deleting the following
files and removing autostartup Registry keys for them:
c:\windows\scrsvr.exe
c:\windows\alevir.exe
c:\windows\brasil.exe
The Opaserv.N variant is a close variant of the original
Opaserv.A worm, however it contains a different URL.
F-Secure Anti-Virus detects Opaserv.N with the updates published
on January 14th, 2003:
[FSAV_Database_Version]
Version=2003-01-14_03
In the beginning January 2003 there also appeared another new
variant of Opaserv worm. The new variant was packed with
PECompact file compressor and was installing itself to system as
MQBKUP.EXE file. The Opaserv.O variant was a close variant of
Opaserv.G worm and it also had an embedded trojan. The trojan was
a time bomb that could make a computer unbootable when the
payload is activated.
The sign that the payload has been activated is the following
message that is displayed when an infected computer starts:
NOTICE:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
For more information, please call us at:
1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:
www.bsa.org
Business Software Alliance
Promoting a safe & legal online world.
The payload causes damage to data on an affected hard drive.
F-Secure Anti-Virus detects Opaserv.O with the updates published
on January 14th, 2003:
[FSAV_Database_Version]
Version=2003-01-14_03
[Description: Kaspersky Labs, F-Secure Corp.; Oct. 2nd - Dec. 27th, 2002; Jan 14th, 2003]
