The worms in this family spread by copying themselves to other computers in the network that are running Windows 95/98/Me; they exploit a vulnerability in these operating systems that allows access to password-protected shares when guessing only the first character of the password. More information and a fix for this vulnerability are available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp
. The viruses were written in Borland C++ and Assembler.
The first two sections describe the initial code of Win32.Worm.Opaserv.A; details about the other variants are available in the Worm Versions section below.
The worm copies itself in the Windows folder as ScrSvr.exe; the registry entry HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr is created so that the new copy is run at every start-up; the ScrSvrOld registry entry is used to ensure that at least the old worm version is run at start-up, while upgrading it to a downloaded version. The original copy of the virus is deleted.
A mutex object called “ScrSvr31415” (3.1415... are the first digits of the number pi) is used to prevent multiple copies from running at a given time. The virus will call the function RegisterServiceProcess so that the process is not listed when Task Manager is invoked. The virus will reduce its main thread’s priority so that it only runs when the computer is idle.
It will create several execution threads, to replicate and update itself. For replication, it uses the SMB (Server Message Block) file sharing protocol; two threads are created by the virus for this purpose. The first of them will listen to incoming NetBIOS communication and attempt to connect (on port 139) to the remote machine’s C\ drive by trying every printable character as the password. It will transfer the virus body to the remote computer (to WINDOWS\scrsvr.exe) and modify win.ini (in the remote’s computer Windows folder) in order to include the filename of the virus in the “run =” line under the [windows] section (a temporary local file c:\tmp.ini is used in the process). This will cause the virus to be run at the next start-up on the remote computer.
Another thread is used by the virus to scan for computers to infect in the network. It lists all IP’s of the local host (a.b.c.d) except for 127.0.0.1 and tries to connect to port 137 of computers with nearby IP’s:
a.b.c-1.x (x iterates through all possible values)
and to computers with IP’s in a random range.
The worm attempts to update itself from the www.opasoft.com HTTP site and intends to store the downloaded version in the file scrupd.exe; two other temporary files (ScrSin.dat and ScrSout.dat) are used while transfering data from the update server. The site is not functional. Opaserv versions:
The versions of the Win32.Worm.Opaserv family differ mainly in the names of files and mutex, address of the update site, executable packer (UPX, ASPack, PE-compact) and payload. Variant A
has a minor subversion; the following names are used instead of the originals:
Virus files: Alevir.exe, puta!!.exe
Registry entries: Alevir, AlevirOld
Temporary files: Alevir.dat, Alesout.dat, c:\put.ini
Upgrade site: www.n3t.com.br Variants B, C, D
are very similar to A; C is further encrypted and uses modified names:
Virus files: marco!.scr, vaisef.exe
Registry entries: Cuzao!Old, cronos
Temporary files: Mane!!.dat, FDP!!!!.dat, c:\gay.ini
Upgrade site: www.gwmnet.com.br Variants E, F
are encrypted and contain the text “OpaSoft Crypted By AlevirusSCS!”:
Virus files: Brasil.pif (E) / Brasil.exe (F, L), puta!!.exe
Registry entries: Brasil, BrasilOld
Temporary files: Brasil.dat, Brasil!.dat, c:\put.ini
Upgrade site: www.n3t.com.br Variant G
also uses an additional encryption layer (besides the UPX packer):
Virus files: instit.bat, tavinh.scr
Registry entries: instit, GustavVED
Temporary files: Gustav.sap, Institu.vat
Upgrade site: www.Gustavo.com Variant H
keeps two additional log files: ScrLog records IP’s of computers that the virus attempts to infect and ScrLog2 records all scanned IP’s. Variants K
will attempt to delete some other versions of the virus (the files scrsvr.exe, alevir.exe – and brasil.exe for M – in the Windows folder and the registry entries “scrsvr”, “alevir” – and “brasil” for M). K is packed with ASPack; the two versions use the following names:
Virus files: Srv32.exe, sccss
Registry entries: ..\RunServices\Srv32, Srv32Old
Temporary files: Srv.tsk, Srv.res, c:\temp.ini
Upgrade site: dc0.net (unavailable) Variant N
is packed with PE-compact; it carries along a trojan which, under certain conditions, is executed and overwrites C:\boot.ini, and then restarts Windows (which will not be able to boot).
Virus files: mqbkup.exe, update.exe
Registry entries: mqbkup, mqbkupdbs
Temporary files: MSBIND.DLL, mscat32.dll, c:\win.ini