new trojan known for UDP 137: Backdoor Opasoft

Discussion in 'malware problems & news' started by Jooske, Sep 28, 2002.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. FanJ

    FanJ Guest

    And for example the thread at GRC.security.software called:

    Another udp/137 add: scrsvr.exe
     
    FanJ, Sep 30, 2002
    #26
  2. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi all !
    Are proxy users getting the same hits as well ?

    Thanks,
    bill :)
     
    eyespy, Sep 30, 2002
    #27
  3. controler

    controler Guest

    I am not getting any yet.. crossing fingers XX

    This is getting interesting to say the least.
     
    controler, Sep 30, 2002
    #28
  4. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    As of 11:30 pm of 30Sept., the netbios scans seemed to have stopped !! :D

    At least here anyway !

    bill :)
     
    eyespy, Oct 1, 2002
    #29
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    ISPs are trying to filter them out too; imagine all that traffic for them!
    I had only one from a user at my own ISP, all others from different sources and if i don't put up the Port Listen in TDS it knocks on every several seconds. Now i only get the few ICMP and 80 regular knocks fortunately.
     
    Jooske, Oct 1, 2002
    #30
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    The nastie picked up some additional nasties along the way; FunLove for example (from infected systems). Thus, the "original" might (have) come in different flavors ;).

    regards.

    paul
     
    Paul Wilders, Oct 1, 2002
    #31
  7. FanJ

    FanJ Guest

    Still 16 scans in the last half hour here......
     
    FanJ, Oct 1, 2002
    #32
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Won't stop for quite a while, Jan.

    On a side note: copies from the original opasoft and a variant have been supplied to major AV/AT vendors by us in the meanwhile. Just released radius update from TDS covers both.

    regards.

    paul
     

    Attached Files:

    Paul Wilders, Oct 1, 2002
    #33
  9. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    They're baaaaack ! :mad: As of 8am this morn !

    bill
     
    eyespy, Oct 1, 2002
    #34
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Bill,

    As I posted in reply to Jan:

    regards.

    paul
     
    Paul Wilders, Oct 1, 2002
    #35
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Some specs coming from SARC:

    Upon Execution, W32.Opaserv.Worm does the following:

    It will check for the value:
    ScrSvrOld
    under the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    and if the value exists, it will delete the file pointed to by the above registry value.

    If the above value does not exist, it will then check if the value:
    ScrSvr
    under the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    exists, and if it does not, the worm will add the value:
    ScrSvr %Windows%\ScrSvr.exe
    under the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    Next, it will check if it is being run as the file:
    %Windows%\ScrSvr.exe
    if not, it will copy itself to the above filename and add the value:
    ScrSvrOld <original worm name>
    under the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    After checking the registry values and the location from which the worm is executing, the worm will check if it is currently executing by creating a Mutex with the name:
    ScrSvr31415

    If it is not already executing the worm will register itself as a process under Win9x, or under other Operating Systems it will elevate the worm process priority.

    The worm will then enumerate the network looking for "C\" shares and for each share it finds, it will copy itself to "C\Windows\scrsvr.exe". It will also modifies
    c\windows\win.ini
    to read:
    run= c:\tmp.ini
    It will also create the file:
    c\tmp.ini
    which contains the text:
    run= c:\windows\scrsvr.exe


    The worm also appears to contain the ability to update itself by reading files from a website hardcoded within the worm. It will also attempt to download an update, "scrupd.exe".

    -------

    regards.

    paul
     
    Paul Wilders, Oct 1, 2002
    #36
  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Good work paul and all you others out there. ;)
     
    Primrose, Oct 1, 2002
    #37
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Thanks John ;). Now, in case you have valuable input - don't hesitate!

    regards.

    paul
     
    Paul Wilders, Oct 1, 2002
    #38
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    CERT is pointing to another source in regard to these probes:

    "We have received reports of an increase in scanning activity directed at port 137/udp. This port is commonly used for NetBIOS name resolution by Windows Networking. Reports suggest that this activity is related to a piece of malicous code known as W32/BugBear."

    Thus, the combo opasoft.A, Opasoft.B plus BugBear seems to cause high traffic...

    regards.

    paul
     
    Paul Wilders, Oct 1, 2002
    #39
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And was Bugbear not send around by email as 50,8kb sized attachments? As invisible before opening like Klez?
    Received various of those today.
    And still TCP Port Listen stops the knocking and still have no reply how this is possible and if it could be dangerous anyhow to use that in this way. Before it helped with CodeRed but with that the knocking continued, and now with this UDP 137 it stops (at least nothing noticed anymore).
     
    Jooske, Oct 1, 2002
    #40
  16. controler

    controler Guest

    Jooske

    The code is checking to see if the port is open or not. if it appears stealthed or closed it looks no further.

    Doesn't this sound about right?
     
    controler, Oct 2, 2002
    #41
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    controler,

    I think you're right. They only knock once. But every infected computer does, so it doesn't explain why it looks like Jooske isn't being bothered anymore.
    I know I am and my port is stealthed.

    Regards,

    Pieter
     
    Pieter_Arntz, Oct 2, 2002
    #42
  18. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, if you're just running Stealthed and have nothing listening, you'll probably get pounded to death! :rolleyes:

    Different (software) firewalls (even though ostensibly stealthed) seem to react differently if there's actually something listening on the indicated port even if it's ostensibly blocked by the firewall. (Given that there's a service listening, I can change the behavior in the more recent versions of NIS/NPF.)

    Try putting the Tambu Dummy Server up on UDP 137 and see if that makes a difference; then change the setting to TCP 137. In both instances have the firewall set to BLOCK TCP/UDP inbound on Port 137. You may see dramatically different behavior.

    However, note that Lawrence Baldwin just pointed out the existence of a diurnal (daily) cycle in these probes. See his thread at DSLR Security Forum. So you need to run the tests in a fairly short time interval -- preferably between 1400 and 2100 EDT, as I recall.
     
    jvmorris, Oct 2, 2002
    #43
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I tell you stronger:
    i have the ability to look at UDP and TCP 137 on verious levels:
    from computer > localhost,
    from the netcard,
    from the modem,
    from localhost,
    so the various levels with different IPs and the possible traffic and on none is sent nor received any traffic at all!
    So i think i can be confident nothing is entering my way.
     
    Jooske, Oct 2, 2002
    #44
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...