Symantec Security Response - W32.Opaserv.K.Worm
W32.Opaserv.K.Worm is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Mqbkup.exe.
If you are on a network, or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password.
Also, before doing so, if you are using Windows 95/98/Millenium, download and install the Microsoft patch from http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.
Also Known As: W32/Opaserv.worm.m [McAfee]
Infection Length: 17,408 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux
CVE References: CVE-2000-0979
W32.Opaserv.K.Worm is a variant of W32.Opaserv.Worm. It is designed to work under the Windows 95/98/Millenium operating systems. When W32.Opaserv.K.Worm runs, it performs the following actions:
A patch for computers that run these operating systems can be found at http://www.microsoft.com/technet/security/...in/MS00-072.asp.
READ THIS FIRST
These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Perform the following to remove the W32.Opaserv.K.Worm:
Reversing the changes made to the registry:
CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read document, How to make a backup of the Windows registry, for instructions.
Deleting the line that the worm added to the Win.ini file
This is necessary on Windows 95/98/Millenium-based computers only.
NOTE for Windows Me users only: Due to the file-protection process in Windows Me, a backup copy of the file that you are to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are to edit when you save your changes to that file.
McAfee Security - W32/Opaserv.worm.m
The risk assessment of this threat was updated to Low-Profiled due to media attention.
This worm contains errors, which prevent it from replicating on WindowsNT/2K/XP systems.
The worm attempts to spread over network shares by copying itself to the WINDOWS directory of remotely accessible machines as MQBKUP.EXE, utilizing a WIN.INI run key to load the worm at startup.
When run on the victim machine, the worm copies itself as %WinDir%\mqbkup.exe. To avoid being run twice the worm creates a mutex "mkbkup61616" (if such mutex already exists the worm process exits). The following Registry key is set to hook system startup:
Run "mqbkup" = %WinDir%\mqbkup.exe
Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:
The worm attempts to spread to all machines on the local subnet in the above manner, (working through the subnet increasing the last octet of the IP address for each WINS query).
Subsequently, in testing the worm was observed to follow the above mechanism for machines in the IP range A.B.(C+1).0 to A.B.(C+1).255 (where A.B.C.x is the local subnet).
Following that, the mechanism was repeated continually, with an apparently random starting IP address (for example 22.214.171.124 -> 126.96.36.199). Once the final octet is incremented to 255, a new initial starting IP is queried.
Indications Of Infection
Presence of any of the following:
Existence of either of the following Registry key:
Run "mqbkup" = %WinDir%\mqbkup.exe
The worm creates a new section in the WIN.INI file:
Considerable port 137 traffic (UDP) originating from infected machine(s).
Method Of Infection
This worm spreads via network shares.
The worm attempts drops a trojan, C:\MSLICENF.COM (detected as QZap248 with the 4240 DAT files), which can delete the contents of the hard disk and references this file in the AUTOEXEC.BAT file. It then restarts the computer by dropping the file BOOT.EXE (detected as Reboot-V the 4240 DAT files), and running it. Upon reboot, the .COM file is executed and the following message is displayed.
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
For more information, please call us at:
If you are outside the USA, please look up the correct contact
information on our website, at:
Business Software Alliance
Promoting a safe & legal online world.
Security Patch for 'Share Level Password' Vulnerability (MS00-072)
To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:
To read more information concerning the exploit and download the relevant patch, click here.
It is also recommend that Win9x/Millenium users unbind File and Print Sharing from the TCP/IP protocol. [/me]
Use current engine and DAT files for detection. Delete any file which contains this detection.
Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:
1. Click START - RUN
2. Type WIN.INI and hit ENTER
3. Locate the run= line and remove the necessary filename after the = sign
4. Click FILE - EXIT and select YES when prompted to save your changes
Additional Windows ME/XP removal considerations
TROJ_WINKILL.A (Trend), Trojan.Win32.KillWin (AVP), W32/Opaserv.L (Panda), Win32.Opaserv.I (CA)
About the "increase in port 137 hits on firewalls", that has been going on for months without respite here...
Here's some LnS log:
This, combined with the fact that most folks don't even know what a firewall is, goes a long way towards explaining the "popularity" of Opaserv...
But I'm glad to see they're not just after little me...
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|