Content
W32/Opanki.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 05/02/2005
- Length
- Varies
- Minimum DAT
- 4481 (05/02/2005)
- Updated DAT
- 5489 (01/08/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 05/02/2005
- Description Modified
- 05/24/2005 9:07 PM (PT)
Tab Navigation
Characteristics
As of May 24, 2005, there are more than 20 known variants of this worm.
This threat "spreads" via a hyperlink that is received via AOL Instant Messenger. Recipients may receive a message such as:
Following the hyperlink results in users be prompted to save/run an executable file (such as pictures@gallery.com). If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions. One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list. Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine.
Symptoms
This threat copies itself to the WINDOWS (%WinDir%) directory as svchost.exe (note a valid svchost.exe file exists in the WINDOWS SYSTEM directory). The shell is hooked via the registry to ensure the threat is run at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe C:\WINDOWS\svchost.exe
The bot will attempt to connect to a remote IRC server, such as "d205.yi.org" or "ftpd.there3d.com"
Method of Infection
This threat "spreads" via AOL Instant Messenger
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- Oscarbot
- W32.Allim (Symantec)
Characteristics
Characteristics -
As of May 24, 2005, there are more than 20 known variants of this worm.
This threat "spreads" via a hyperlink that is received via AOL Instant Messenger. Recipients may receive a message such as:
Following the hyperlink results in users be prompted to save/run an executable file (such as pictures@gallery.com). If users choose to download and/or run this file, it will contact a remote IRC server, logon to a specified channel and wait for further instructions. One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list. Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine.
Symptoms
Symptoms -
This threat copies itself to the WINDOWS (%WinDir%) directory as svchost.exe (note a valid svchost.exe file exists in the WINDOWS SYSTEM directory). The shell is hooked via the registry to ensure the threat is run at system startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe C:\WINDOWS\svchost.exe
The bot will attempt to connect to a remote IRC server, such as "d205.yi.org" or "ftpd.there3d.com"
Method of Infection
Method of Infection -
This threat "spreads" via AOL Instant Messenger
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
