|
|
Worm.Win32.Opasoft. Viruses Information
| Name: |
Worm.Win32.Opasoft. |
| Category: |
Viruses |
| Description:
|
Details
Worm.Win32.Opasoft.a
The Opasoft (aka Opaserv) network worm virus, also known as "Opaserv" has a backdoor trojan routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.
The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global epidemic.
Installation
The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
ScrSvr = %worm name%
Opasoft then deletes its original file (from where it was started).
Spreading
In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned:
current subnet of the infected computer (aa.bb.cc ??)
the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)
selects subnets randomly (excluding those where scanning is disabled)
If, while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.
When "reply data" is received Opasoft checks a special field contained in it. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.
During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:
sets a connection with the \hostnameC resource(where "hostname" = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its "reply data") during the scan)
if the resource is password protected the worm runs through all possible "one symbol" passwords - conducting a "brute-force" attack
If connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed:
WINDOWSscrsvr.exe
Opasoft then reads the Windowswin.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:
C:TMP.INI
to this C:TMP.INI file the worm copies the auto run command that is placed in the victim computer's Windows system directory upon being sent back to the victim computer.
To receive the packets from the remote computer two files appear on the victim machine:
WINDOWSscrsvr.exe - a copy of the Opasoft worm
WINDOWSwin.ini - A Windows INI file which contains the auto-run command (to "auto-run" the Opasoft worm)
The second file, win.ini, results in Opasoft gaining control of the victim computer upon system restart.
Password Exploit
To get passwords needed to gain access to victim machines, the worm uses the security breach "share level password exploit". For a detailed description of this exploit please click the following address: http://www.nsfocus.com/english/homepage/sa_05.htm
The worm programmatically "suggests" a password field with only one character length to the victim host. When there is a one-byte password "suggested", the host will check only the first byte of the password. In case the first byte is correct, the autification process will be successfully passed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.
Backdoor
The backdoor routine goes to the www.opasoft.com WEB-site and performs the following actions:
downloads and executes its latest version (if there is one)
downloads and processes script files placed at this site
New worm versions are downloaded to the file "scrupd.exe". This file is then run, and replaces the existing worm copy.
While processing the backdoor it uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.
Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.
Technical Details
To avoid infecting the same machine twice the worm creates a "Windows mutex" under the name "ScrSvr31415".
Win9x machines are infectable while the infectinon of WinNT machines is highly unlikely and almost impossible.
One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.
Removal
The worm caused a global epidemic and hit many Win9x systems because of following reasons:
it spreads using the standard NETBIOS protocol
the "\hostnameC" resource name is the default name on opening a share on C: drive
there is no request for a password on share opening
many users don't pay enough attention to password length and security
To get rid of the worm and to avoid reinfection it is necessary to:
disable file sharing, or apply safe enough password to opened shares
delete infected EXE file
remove worm's "run" commands from WIN.INI file and system registry (see above)
Worm.Win32.Opasoft.a (a.k.a. Brasil)
Opasoft.a, also known as "Brazil".is a new variant of the "Opasoft" worm and was found "in-the-wild" on Oct. 19-20, 2002.
The differences are:
The original "Opasoft.a" worm is not compressed. The "Brasil" variant is encrypted by the "PCPEC" PE EXE file encryption utility and then compressed by the "UPX" PE EXE files compression tool.
The text strings are patched. For example, the following strings are replaced:
"ScrSvr", "ScrSin" -> "Brasil"
"ScrSout" -> "Brasil!"
"scrupd" -> "puta!!"
"www.opasoft.com" -> www.n3t.com.br
As a result the "Brasil" modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.
Installation
The Opasoft.a worm installs itself to the Windows directory under the name "brasil.exe" or "brasil.pif" (depending on the "Brasil" patch variant) and registers this file in the auto-run registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Brasil = %worm name%
Spreading
While infecting remote computers the Opasoft.a worm uploads itself under the "brasil.exe" or "brasil.pif" name, and writes a corresponding string to a remote WIN.INI file.
Backdoor
The backdoor routine goes to the www.n3t.com.br WEB-site and performs the following actions:
it downloads and executes its new version (if there is one) from this site
it downloads and processes script files placed at this site
The new worm version is downloaded to the file puta!!.exe. This file is then run and replaces the current or existing copy of the worm.
While the backdoor is processing it employs two data diles: Brasil.dat and Brasil!.dat, which are encryped with a strong "crypto" algorithm.
Because the server at www.n3t.com.br is down (as is the original "Opasoft" server), it is not possible to obtain further information concerning the worm's backdoor procedures.
Variants
There are several "patched" variants known. The differences are only in URL and file names, for example:
worm file name:
"Opasoft.a" ("Brazil" variant) : WINDOWSbrazil.pif
"Opasoft.a" ("Marco" variant) : WINDOWSmarco!.scr |
Top Viruses Visited Pages:
Invader. - 234 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 65 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 59 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 47 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Koniec Famil
Night.204
Nuker.LorNuk
I-Worm.Unis.
Platov Famil
NTZ Famil
SU.38
not-virus:Joke.Win32.Error
Alxe.128
OS2.AEP.
|
|
