W32.Opaserv.K.Worm

[Randy_Bell]

Symantec Security Response - W32.Opaserv.K.Worm

W32.Opaserv.K.Worm is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Mqbkup.exe.

If you are on a network, or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password.

Also, before doing so, if you are using Windows 95/98/Millenium, download and install the Microsoft patch from http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

Also Known As: W32/Opaserv.worm.m [McAfee]
Type: Worm
Infection Length: 17,408 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux
CVE References: CVE-2000-0979

technical details

W32.Opaserv.K.Worm is a variant of W32.Opaserv.Worm. It is designed to work under the Windows 95/98/Millenium operating systems. When W32.Opaserv.K.Worm runs, it performs the following actions:

• If the original file name of the worm is not %windir%\Mqbkup.exe, it copies itself as %windir%\Mqbkup.exe and then deletes itself from the original location. It then updates the registry and quits. This will ensure that the worm is executed at the next system startup as %windir%\Mqbkup.exe.
  
  NOTE: %windir% is a variable. The worm locates the Windows main installation folder (by default, this is C:\Windows or C:\Winnt) and uses it as a destination folder.
  
• The worm creates the "mqbkup61616" mutex. This mutex allows only one instance of the W32.Opaserv.K.Worm to execute in memory.
  The worm creates the value
  
  mqbkup %windir%\mqbkup.exe
  
  or
  
  qbkupdbs %windir%\mqbkup.exe
  
  in the registry key
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  so that the worm starts when you start or restart Windows.
  
• If the operating system is Windows 95/98/Millenium, the worm registers itself as a service process to continue to run after you log off.
• The worm may drop an executable C:\boot.exe (3,584 bytes) that shuts down the system and then restarts it. The system is restarted by forcing processes to terminate (any opened documents will be closed without saving their contents). This file is not malicious.
• The worm may create the file C:\Mslicenf.com, which, if it is run, displays this message:
  
  Illegal Microsoft Windows license detected!
  You are in violation of the Digital Millennium Copyright Act!
  Your unauthorized license has been revoked.
  For more information, please call us at:
  1-888-NOPIRACY
  If you are outside the USA, please look up the correct contact information
  on our website, at:
  www.bsa.org
  Business Software Alliance
  Promoting a safe & legal online world.
  
• The worm may then update the contents of the C:\Autoexec.bat file to run the Mslicenf.com file when you start the computer, and then to run C:\boot.exe. As a result, when you restart the computer, it displays the message and then reboots.
• Then the worm takes an inventory of the network, looking for "C:\" shares. For each share it finds, it attempts to perform these actions:
  • Copies itself to C:\Windows\Mqbkup.exe.
  • Adds the following line to the Win.ini file on the compromised network computer:
    
    run=c:\windows\mqbkup.exe
• To replicate across the network, the worm uses a security vulnerability in Microsoft Windows 95/98/Millenium. It sends single-character passwords to network shares to get access to Windows 95/98/Millenium file shares, without knowing the entire password assigned to the shares. The affected operating systems include:
  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Me

A patch for computers that run these operating systems can be found at http://www.microsoft.com/technet/security/...in/MS00-072.asp.

removal instructions

READ THIS FIRST

• This worm uses a security vulnerability in Microsoft Windows 95/98/Millenium. It sends single-character passwords to network shares to get access to Windows 95/98/Millenium file shares, without knowing the entire password assigned to the shares. The affected systems include Windows 95, 98, and Me.
  
  A patch for computers running these operating systems can be found at http://www.microsoft.com/technet/security/...in/MS00-072.asp. If you have not already done so, obtain and install the patch to prevent future infections.
• If you are on a network, or if you have a full-time connection to the Internet, such as DSL or cable modem, disconnect the computer from the network and the Internet. Disable sharing before you reconnect computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not re-infect the computer after it has been removed, remove all shares, clean all the computers on the network, patch all the systems, and update the definitions on all the computers before you reconnect to the network or re-enable shares. For instructions, refer to your Windows documentation, or the document How to configure shared Windows folders for maximum network protection.
• If you are removing an infection on a network, first make sure any shares are disabled.

These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Perform the following to remove the W32.Opaserv.K.Worm:

• 
  1. Disconnect from the network.
  2. Update the virus definitions.
  3. Do one of the following:
  • 
    Windows 95/98/Millenium: Restart the computer in Safe mode.
    Windows NT/2000/XP: Stop the running worm process.
  4. Run a full system scan and delete all the files detected as W32.Opaserv.K.Worm.
  5. Reverse the changes that the worm made to the registry.
  6. For Windows 95/98/Millenium only, delete the line
  
  run=c:\windows\mqbkup.exe
  
  from the C:\Windows\Win.ini

Reversing the changes made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read document, How to make a backup of the Windows registry, for instructions.

• 
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit, and then click OK. (The Registry Editor opens.)
  3. Navigate to the following key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  4. In the right pane, delete the following value:
  
  mqbkup %windir%\mqbkup.exe
  
  or
  
  mqbkupdbs %windir%\mqbkup.exe
  
  5. Exit the Registry Editor.

Deleting the line that the worm added to the Win.ini file
This is necessary on Windows 95/98/Millenium-based computers only.

NOTE for Windows Me users only: Due to the file-protection process in Windows Me, a backup copy of the file that you are to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are to edit when you save your changes to that file.

• 
  1. Click Start, and then click Run.
  2. Type the following, and then click OK.
  
  edit c:\windows\win.ini
  
  The MS-DOS Editor opens.
  
  NOTE: If Windows is installed in a different location, make the appropriate path substitution.
  
  3. In the [windows] section of the file, look for an entry similar to
  
  run=c:\windows\mqbkup.exe
  
  4. Select the entire line. Be sure that you have not selected any other text in the file. Then press Delete.
  5. Click File, then click Save.
  6. Click File, then click Exit.

[Randy_Bell]

McAfee Security - W32/Opaserv.worm.m

Virus Characteristics

The risk assessment of this threat was updated to Low-Profiled due to media attention.

This worm contains errors, which prevent it from replicating on WindowsNT/2K/XP systems.

The worm attempts to spread over network shares by copying itself to the WINDOWS directory of remotely accessible machines as MQBKUP.EXE, utilizing a WIN.INI run key to load the worm at startup.

Local Infection

When run on the victim machine, the worm copies itself as %WinDir%\mqbkup.exe. To avoid being run twice the worm creates a mutex "mkbkup61616" (if such mutex already exists the worm process exits). The following Registry key is set to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "mqbkup" = %WinDir%\mqbkup.exe

Remote Infection

Significant NetBIOS traffic (UDP) is caused by this worm. One of the early indications of this worms activity was the increase in port 137 hits on firewalls. This traffic is caused by the worm issuing WINS queries across contiguous IP ranges. The spreading mechanism observed in testing is outlined below:

• the worm issues WINS query (to retrieve NetBIOS name).
• the worm then tries to establish a NetBIOS session to the remote machine.
• if successful the worm attempts to spread via connecting to \\%machinename%\C using SMB (Server Message Block) commands (ie. requiring open 'C' share on remote machine). This worm can infect password-protected shares if the security patch is not installed.
  
  Please Note: if this patch is installed, but the share is not password protected, the worm will still spread to the machine.
  
• In spreading, the worm attempts to copy itself to \Windows\mqbkup.exe on the remote machine.
• A Run key is added to WIN.INI on the remote machine, to run the worm at startup. For example:
  
  Run= 'C:\WINDOWS\MQBKUP.EXE'

The worm attempts to spread to all machines on the local subnet in the above manner, (working through the subnet increasing the last octet of the IP address for each WINS query).

Subsequently, in testing the worm was observed to follow the above mechanism for machines in the IP range A.B.(C+1).0 to A.B.(C+1).255 (where A.B.C.x is the local subnet).

Following that, the mechanism was repeated continually, with an apparently random starting IP address (for example 16.13.145.5 -> 16.13.145.255). Once the final octet is incremented to 255, a new initial starting IP is queried.

Indications Of Infection

Presence of any of the following:

• 
  %WinDir%\MQBKUP.EXE
  %WinDir%\MSBIND.DLL
  %WinDir%\MSCAT32.DLL
  C:\WIN.INI (when machine remotely infected)

Existence of either of the following Registry key:
[*]HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "mqbkup" = %WinDir%\mqbkup.exe

The worm creates a new section in the WIN.INI file:
[msappfont]
value=%value%
font=%value%
style=%value%

Considerable port 137 traffic (UDP) originating from infected machine(s).

Method Of Infection

This worm spreads via network shares.

Payload

The worm attempts drops a trojan, C:\MSLICENF.COM (detected as QZap248 with the 4240 DAT files), which can delete the contents of the hard disk and references this file in the AUTOEXEC.BAT file. It then restarts the computer by dropping the file BOOT.EXE (detected as Reboot-V the 4240 DAT files), and running it. Upon reboot, the .COM file is executed and the following message is displayed.

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY

If you are outside the USA, please look up the correct contact
information on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.



Removal Instructions

Security Patch for 'Share Level Password' Vulnerability (MS00-072)

To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:

• Microsoft Windows 95
• Microsoft Windows 98
• Microsoft Windows 98 Second Edition
• Microsoft Windows ME

To read more information concerning the exploit and download the relevant patch, click here.

It is also recommend that Win9x/Millenium users unbind File and Print Sharing from the TCP/IP protocol. [/me]

• 
  1. On Windows 9x/ME, right click on Network Neighborhood on the Desktop and select properties
  2. Select the TCP/IP protocol component that is bound to your network adapter (ie. TCP/IP -> 3Com Ethernet Adapter, or TCP/IP -> Dial-Up Adapter)
  3. Press the "Properties" button
  4. Select the "Bindings" tab
  5. Uncheck "File and Print Sharing for Microsoft Networks" if it is checked
  6. Click "OK" and "OK" again, reboot when prompted.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:

1. Click START - RUN
2. Type WIN.INI and hit ENTER
3. Locate the run= line and remove the necessary filename after the = sign
(ie. C:\WINDOWS\SYSTEM\SCRSVR.EXE)
4. Click FILE - EXIT and select YES when prompted to save your changes

Additional Windows ME/XP removal considerations

Aliases
TROJ_WINKILL.A (Trend), Trojan.Win32.KillWin (AVP), W32/Opaserv.L (Panda), Win32.Opaserv.I (CA)

[TonyKlein]

About the "increase in port 137 hits on firewalls", that has been going on for months without respite here...

Here's some LnS log:

[Randy_Bell]

same here Tony (ZA logs):

[TonyKlein]

Amazing, innit?

This, combined with the fact that most folks don't even know what a firewall is, goes a long way towards explaining the "popularity" of Opaserv...

But I'm glad to see they're not just after little me...