Content

W32/Opaserv.worm

Type
Virus
SubType
Internet Worm
Discovery Date
09/28/2002
Length
28,672 bytes
Minimum DAT
4226 (09/30/2002)
Updated DAT
4226 (09/30/2002)
Minimum Engine
5.1.00
Description Added
09/30/2002
Description Modified
03/22/2004 2:09 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--- Update December 24, 2003 ---
One new variant (.ai has been discovered).  This variant has been seen with the name natal!.pif and is 17,478 bytes in length.

--- Update September 19, 2003 ---
Two new variants (.ac and .ad) are discovered.  Both are 26,064 in size.

--- Update March 06, 2003 ---
Several new variants appeared recently (.s-.v). They were all proactively detected. Please check the list of variants . Reporting of variant letters for new variants goes into 4252 DAT update (currently caught as "W32/Opaserv.worm.gen").
---

--- Update January 16, 2003 ---
Several new variants appeared recently (.n-.r). They were all proactively detected. Reporting of variant letters for these new variants was included in 4243 DAT update. Please check the list of variants .
---

--- Update December 23, 2002 ---
Detection for another variant (W32/Opaserv.worm.m ) has been added. See W32/Opaserv.worm.m description for details.
---

--- Update November 10, 2002 ---
Another new variant was discovered recently - INSTIT.BAT 21,504 bytes in size.
---

--- Update October 29, 2002 ---
A new variant was discovered recently - MARCO!.SCR 12,080 bytes in size. Detection is included in the 4231 DAT files.
---

--- Update October 23, 2002 ---
Two new variants were discovered - both are 28,672 bytes in size and are not packed. One is detected since 4226 DATs but another requires the 4231 DATs.
---

--- Update October 21, 2002 ---
Two new variants were discovered - both are 24,064 bytes in size and both are now UPX-packed. They were released by a Brasilian virus-writing group "AlevirusSCS". The first variant installs itself as %WinDir%\BRASIL.PIF, the second as %WinDir%\BRASIL.EXE. These variants are encrypted (beneath UPX) and use a different selfrecognition mutex "Brasil31415". They may drop a file "c:\put.ini". For updates these variants use the website "www.n3t.com.br". Detection of these variants is included in the 4230 DATs.
---

--- Update October 4, 2002 ---
Multiple variants of this worm are now known. At the time of writing, all are detected by the 4226 DATs (released 09/30/2002).
---

--- Update October 1, 2002 ---
The risk assessment of this threat was updated to Low-Profiled due to media attention .
---

This worm contains errors, which prevent it from replicating on many WindowsNT/2K/XP systems.

The worm attempts to spread over network shares by copying itself to the WINDOWS directory of remotely accessible machines as SCRSVR.EXE, utilising a WIN.INI run key to load the worm at startup.

Local Infection

When run on the victim machine, the worm copies itself as %WinDir%\ScrSvr.exe. To avoid being run twice the worm creates a mutex "ScrSvr31415" (if such mutex already exists the worm process exits). The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"ScrSvr" = %WinDir%\ScrSvr.exe

The worm attempts to access a remote URL (unavailable at the time of writing). Strings within the worm suggest that it is capable of downloading updates from this site.

Remote Infection

Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

  • the worm issues WINS query (to retrieve NetBIOS name).
  • the worm then tries to establish a NetBIOS session to the remote machine.
  • if successful the worm attempts to spread via connecting to \\%machinename%\C using SMB (Server Message Block) commands (ie. requiring open 'C' share on remote machine). This worm can infect password-protected shares if the security patch is not installed.

    Please Note: if this patch is installed, but the share is not password protected, the worm will still spread to the machine.

  • In spreading, the worm attempts to copy itself to \Windows\ScrSvr.exe on the remote machine.
  • A Run key is added to WIN.INI on the remote machine, to run the worm at startup. For example:

    Run= 'C:\WINDOWS\SCRSVR.EXE'

The worm attempts to spread to all machines on the local subnet in the above manner, (working through the subnet increasing the last octet of the IP address for each WINS query).

Subsequently, in testing the worm was observed to follow the above mechanism for machines in the IP range A.B.(C+1).0 to A.B.(C+1).255 (where A.B.C.x is the local subnet).

Following that, the mechanism was repeated continually, with an apparently random starting IP address (for example 16.13.145.5 -> 16.13.145.255). Once the final octet is incremented to 255, a new initial starting IP is queried.

Symptoms

Presence of any of the following:

  • %WinDir%\ScrSvr.exe
  • C:\SCRSDAT.IN, C:\SCRSDAT.OUT (local infection)
  • C:\TMP.INI (when machine remotely infected)

    Existence of either of the following Registry keys:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      "ScrSvr" = %WinDir%\ScrSvr.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      "ScrSvrOld" = (filename executed, if not %WinDir%\ScrSvr.exe)

    Considerable port 137 traffic (UDP) originating from infected machine(s).

    Method of Infection

    This worm spreads via network shares.

    Removal

    Security Patch for 'Share Level Password' Vulnerability (MS00-072)

    To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:

    • Microsoft Windows 95
    • Microsoft Windows 98
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows ME

    To read more information concerning the exploit and download the relevant patch, click here .

    It is also recommend that Win9x/ME users unbind File and Print Sharing from the TCP/IP protocol.
    1. On Windows 9x/ME, right click on Network Neighborhood on the Desktop and select properties
    2. Select the TCP/IP protocol component that is bound to your network adapter (ie. TCP/IP -> 3Com Ethernet Adapter, or TCP/IP -> Dial-Up Adapter)
    3. Press the "Properties" button
    4. Select the "Bindings" tab
    5. Uncheck "File and Print Sharing for Microsoft Networks" if it is checked
    6. Click "OK" and "OK" again, reboot when prompted.
    All Users :
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:

    1. Click START - RUN
    2. Type WIN.INI and hit ENTER
    3. Locate the run= line and remove the necessary filename after the = sign
      (ie. C:\WINDOWS\SYSTEM\SCRSVR.EXE)
    4. Click FILE - EXIT and select YES when prompted to save your changes

    Additional Windows ME/XP removal considerations

    Variants

    Variants

    • W32/Opaserv.worm.c
    • W32/Opaserv.worm.b
    • W32/Opaserv.worm.d
    • W32/Opaserv.worm.e
    • W32/Opaserv.worm.f
    • W32/Opaserv.worm.g
    • W32/Opaserv.worm.h
    • W32/Opaserv.worm.i
    • W32/Opaserv.worm.k
    • W32/Opaserv.worm.j
    • W32/Opaserv.worm.l
    • W32/Opaserv.worm.n
    • W32/Opaserv.worm.o
    • W32/Opaserv.worm.p
    • W32/Opaserv.worm.q
    • W32/Opaserv.worm.r
    • W32/Opaserv.worm-m
    • W32/Opaserv.worm.s
    • W32/Opaserv.worm.t
    • W32/Opaserv.worm.u
    • W32/Opaserv.worm.v

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • BackDoor-ALB
    • Backdoor.Opasoft
    • Bck/Opasoft (Panda)
    • W32.Opaserv.Worm (Symantec)
    • W32/Opaserv.worm.ai
    • W95/Scrup.worm
    • Worm.Win32.Opasoft (AVP)
    • WORM_OPASOFT (Trend)

    Characteristics

    Characteristics -

    --- Update December 24, 2003 ---
    One new variant (.ai has been discovered).  This variant has been seen with the name natal!.pif and is 17,478 bytes in length.

    --- Update September 19, 2003 ---
    Two new variants (.ac and .ad) are discovered.  Both are 26,064 in size.

    --- Update March 06, 2003 ---
    Several new variants appeared recently (.s-.v). They were all proactively detected. Please check the list of variants . Reporting of variant letters for new variants goes into 4252 DAT update (currently caught as "W32/Opaserv.worm.gen").
    ---

    --- Update January 16, 2003 ---
    Several new variants appeared recently (.n-.r). They were all proactively detected. Reporting of variant letters for these new variants was included in 4243 DAT update. Please check the list of variants .
    ---

    --- Update December 23, 2002 ---
    Detection for another variant (W32/Opaserv.worm.m ) has been added. See W32/Opaserv.worm.m description for details.
    ---

    --- Update November 10, 2002 ---
    Another new variant was discovered recently - INSTIT.BAT 21,504 bytes in size.
    ---

    --- Update October 29, 2002 ---
    A new variant was discovered recently - MARCO!.SCR 12,080 bytes in size. Detection is included in the 4231 DAT files.
    ---

    --- Update October 23, 2002 ---
    Two new variants were discovered - both are 28,672 bytes in size and are not packed. One is detected since 4226 DATs but another requires the 4231 DATs.
    ---

    --- Update October 21, 2002 ---
    Two new variants were discovered - both are 24,064 bytes in size and both are now UPX-packed. They were released by a Brasilian virus-writing group "AlevirusSCS". The first variant installs itself as %WinDir%\BRASIL.PIF, the second as %WinDir%\BRASIL.EXE. These variants are encrypted (beneath UPX) and use a different selfrecognition mutex "Brasil31415". They may drop a file "c:\put.ini". For updates these variants use the website "www.n3t.com.br". Detection of these variants is included in the 4230 DATs.
    ---

    --- Update October 4, 2002 ---
    Multiple variants of this worm are now known. At the time of writing, all are detected by the 4226 DATs (released 09/30/2002).
    ---

    --- Update October 1, 2002 ---
    The risk assessment of this threat was updated to Low-Profiled due to media attention .
    ---

    This worm contains errors, which prevent it from replicating on many WindowsNT/2K/XP systems.

    The worm attempts to spread over network shares by copying itself to the WINDOWS directory of remotely accessible machines as SCRSVR.EXE, utilising a WIN.INI run key to load the worm at startup.

    Local Infection

    When run on the victim machine, the worm copies itself as %WinDir%\ScrSvr.exe. To avoid being run twice the worm creates a mutex "ScrSvr31415" (if such mutex already exists the worm process exits). The following Registry key is set to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "ScrSvr" = %WinDir%\ScrSvr.exe

    The worm attempts to access a remote URL (unavailable at the time of writing). Strings within the worm suggest that it is capable of downloading updates from this site.

    Remote Infection

    Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

    • the worm issues WINS query (to retrieve NetBIOS name).
    • the worm then tries to establish a NetBIOS session to the remote machine.
    • if successful the worm attempts to spread via connecting to \\%machinename%\C using SMB (Server Message Block) commands (ie. requiring open 'C' share on remote machine). This worm can infect password-protected shares if the security patch is not installed.

      Please Note: if this patch is installed, but the share is not password protected, the worm will still spread to the machine.

    • In spreading, the worm attempts to copy itself to \Windows\ScrSvr.exe on the remote machine.
    • A Run key is added to WIN.INI on the remote machine, to run the worm at startup. For example:

      Run= 'C:\WINDOWS\SCRSVR.EXE'

    The worm attempts to spread to all machines on the local subnet in the above manner, (working through the subnet increasing the last octet of the IP address for each WINS query).

    Subsequently, in testing the worm was observed to follow the above mechanism for machines in the IP range A.B.(C+1).0 to A.B.(C+1).255 (where A.B.C.x is the local subnet).

    Following that, the mechanism was repeated continually, with an apparently random starting IP address (for example 16.13.145.5 -> 16.13.145.255). Once the final octet is incremented to 255, a new initial starting IP is queried.

    Symptoms

    Symptoms -

    Presence of any of the following:

    • %WinDir%\ScrSvr.exe
    • C:\SCRSDAT.IN, C:\SCRSDAT.OUT (local infection)
    • C:\TMP.INI (when machine remotely infected)

      Existence of either of the following Registry keys:

      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
        "ScrSvr" = %WinDir%\ScrSvr.exe
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
        "ScrSvrOld" = (filename executed, if not %WinDir%\ScrSvr.exe)

      Considerable port 137 traffic (UDP) originating from infected machine(s).

      Method of Infection

      Method of Infection -

      This worm spreads via network shares.

      Removal -

      Removal -

      Security Patch for 'Share Level Password' Vulnerability (MS00-072)

      To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:

      • Microsoft Windows 95
      • Microsoft Windows 98
      • Microsoft Windows 98 Second Edition
      • Microsoft Windows ME

      To read more information concerning the exploit and download the relevant patch, click here .

      It is also recommend that Win9x/ME users unbind File and Print Sharing from the TCP/IP protocol.
      1. On Windows 9x/ME, right click on Network Neighborhood on the Desktop and select properties
      2. Select the TCP/IP protocol component that is bound to your network adapter (ie. TCP/IP -> 3Com Ethernet Adapter, or TCP/IP -> Dial-Up Adapter)
      3. Press the "Properties" button
      4. Select the "Bindings" tab
      5. Uncheck "File and Print Sharing for Microsoft Networks" if it is checked
      6. Click "OK" and "OK" again, reboot when prompted.
      All Users :
      Use current engine and DAT files for detection. Delete any file which contains this detection.

      Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:

      1. Click START - RUN
      2. Type WIN.INI and hit ENTER
      3. Locate the run= line and remove the necessary filename after the = sign
        (ie. C:\WINDOWS\SYSTEM\SCRSVR.EXE)
      4. Click FILE - EXIT and select YES when prompted to save your changes

      Additional Windows ME/XP removal considerations

      Variants

      Variants -

      • W32/Opaserv.worm.c
      • W32/Opaserv.worm.b
      • W32/Opaserv.worm.d
      • W32/Opaserv.worm.e
      • W32/Opaserv.worm.f
      • W32/Opaserv.worm.g
      • W32/Opaserv.worm.h
      • W32/Opaserv.worm.i
      • W32/Opaserv.worm.k
      • W32/Opaserv.worm.j
      • W32/Opaserv.worm.l
      • W32/Opaserv.worm.n
      • W32/Opaserv.worm.o
      • W32/Opaserv.worm.p
      • W32/Opaserv.worm.q
      • W32/Opaserv.worm.r
      • W32/Opaserv.worm-m
      • W32/Opaserv.worm.s
      • W32/Opaserv.worm.t
      • W32/Opaserv.worm.u
      • W32/Opaserv.worm.v