My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Opaserv

HIGH
LOW
28672 bytes
(Opasoft, Opas)

Symptoms

  • File "scrsvr.exe" in the Windows folder;

  • One or both of the registry entries:

    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr

    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld


    Removal instructions:

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiOpaserv tool does the following:
  • it detects all the known Win32.Worm.Opaserv versions;

  • it deletes the files infected with Win32.Worm.Opaserv;

  • it kills the process from memory;

  • it repairs the Windows registry.


  • To prevent the virus from replicating itself from infected machines to clean machines, you should try to disinfect all computers in the network before rebooting any of them, or unplug the network cables.

    If you are running Windows 95/98/Me you will have to apply the following patch provided by Microsoft to stop the virus from using the 'Share Level Password' Vulnerability.

    You may also need to restore the affected files.

    Analyzed By

    Bogdan Dragu BitDefender Virus Researcher

    Technical Description:

    The worms in this family spread by copying themselves to other computers in the network that are running Windows 95/98/Me; they exploit a vulnerability in these operating systems that allows access to password-protected shares when guessing only the first character of the password. More information and a fix for this vulnerability are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp. The viruses were written in Borland C++ and Assembler.

    The first two sections describe the initial code of Win32.Worm.Opaserv.A; details about the other variants are available in the Worm Versions section below.

    The worm copies itself in the Windows folder as ScrSvr.exe; the registry entry HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr is created so that the new copy is run at every start-up; the ScrSvrOld registry entry is used to ensure that at least the old worm version is run at start-up, while upgrading it to a downloaded version. The original copy of the virus is deleted.

    A mutex object called “ScrSvr31415” (3.1415... are the first digits of the number pi) is used to prevent multiple copies from running at a given time. The virus will call the function RegisterServiceProcess so that the process is not listed when Task Manager is invoked. The virus will reduce its main thread’s priority so that it only runs when the computer is idle.

    It will create several execution threads, to replicate and update itself. For replication, it uses the SMB (Server Message Block) file sharing protocol; two threads are created by the virus for this purpose. The first of them will listen to incoming NetBIOS communication and attempt to connect (on port 139) to the remote machine’s C\ drive by trying every printable character as the password. It will transfer the virus body to the remote computer (to WINDOWS\scrsvr.exe) and modify win.ini (in the remote’s computer Windows folder) in order to include the filename of the virus in the “run =” line under the [windows] section (a temporary local file c:\tmp.ini is used in the process). This will cause the virus to be run at the next start-up on the remote computer.

    Another thread is used by the virus to scan for computers to infect in the network. It lists all IP’s of the local host (a.b.c.d) except for 127.0.0.1 and tries to connect to port 137 of computers with nearby IP’s:

    a.b.c.x
    a.b.c+1.x
    a.b.c-1.x (x iterates through all possible values)

    and to computers with IP’s in a random range.

    The worm attempts to update itself from the www.opasoft.com HTTP site and intends to store the downloaded version in the file scrupd.exe; two other temporary files (ScrSin.dat and ScrSout.dat) are used while transfering data from the update server. The site is not functional.

    Opaserv versions:

    The versions of the Win32.Worm.Opaserv family differ mainly in the names of files and mutex, address of the update site, executable packer (UPX, ASPack, PE-compact) and payload.

    Variant A has a minor subversion; the following names are used instead of the originals:
    Virus files: Alevir.exe, puta!!.exe
    Registry entries: Alevir, AlevirOld
    Temporary files: Alevir.dat, Alesout.dat, c:\put.ini
    Mutex: Alevir31415
    Upgrade site: www.n3t.com.br

    Variants B, C, D and J are very similar to A; C is further encrypted and uses modified names:
    Virus files: marco!.scr, vaisef.exe
    Registry entries: Cuzao!Old, cronos
    Temporary files: Mane!!.dat, FDP!!!!.dat, c:\gay.ini
    Mutex: marquinhos!
    Upgrade site: www.gwmnet.com.br

    Variants E, F and L are encrypted and contain the text “OpaSoft Crypted By AlevirusSCS!”:
    Virus files: Brasil.pif (E) / Brasil.exe (F, L), puta!!.exe
    Registry entries: Brasil, BrasilOld
    Temporary files: Brasil.dat, Brasil!.dat, c:\put.ini
    Mutex: Brasil31415
    Upgrade site: www.n3t.com.br

    Variant G also uses an additional encryption layer (besides the UPX packer):
    Virus files: instit.bat, tavinh.scr
    Registry entries: instit, GustavVED
    Temporary files: Gustav.sap, Institu.vat
    Mutex: GustavoDist
    Upgrade site: www.Gustavo.com

    Variant H keeps two additional log files: ScrLog records IP’s of computers that the virus attempts to infect and ScrLog2 records all scanned IP’s.

    Variants K and M will attempt to delete some other versions of the virus (the files scrsvr.exe, alevir.exe – and brasil.exe for M – in the Windows folder and the registry entries “scrsvr”, “alevir” – and “brasil” for M). K is packed with ASPack; the two versions use the following names:
    Virus files: Srv32.exe, sccss
    Registry entries: ..\RunServices\Srv32, Srv32Old
    Temporary files: Srv.tsk, Srv.res, c:\temp.ini
    Mutex: Srv3231415
    Upgrade site: dc0.net (unavailable)

    Variant N is packed with PE-compact; it carries along a trojan which, under certain conditions, is executed and overwrites C:\boot.ini, and then restarts Windows (which will not be able to boot).
    Virus files: mqbkup.exe, update.exe
    Registry entries: mqbkup, mqbkupdbs
    Temporary files: MSBIND.DLL, mscat32.dll, c:\win.ini
    Mutex: mqbkup61616