OpaServ - Grrrrrrrrrrr

This is bugging the hell out of me, I've cleaned a PC twice now, gone into the registry totally removed OpaServ and all it's variances through the following;

1. Disconnected computer from the Internet and LAN.

2. Booted to safe mode

3. Ran both of the NOD32 Opaserv cleaners from http://www.nod32.com.au

4. Checked win.ini for any unusual references after run=

5. Check registry and delete the values: ScrSvr %windir%\ScrSvr.exe and ScrSvrOld <original worm name> from the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

6. Manually search for and delete the files .....
scrsvr.*
brasil.*
marco*.*
put.ini
alevir.*

This time around I put on Sygate as the firewall, rescaned with Nod32, it came up all clean.

My Question to the Eset Team: Why is Nod32 allowing reinfection and changes to the registry to occur. Nod32 deletes the inffection upon detection, but still allows the registry to be altered, thus upon reboot heaps of messages appear: missing brasil... missing put.ini...etc, etc.

I have told this person to stop using webmail and use a pop3 account that I have set up.

Your help would be appreciated, I simply do not understand why Nod32 is allowing part of the virus to get past...

Cheers.

 

Hi Paul, in this case Windows 98SE fresh install after first infection of multiple viruses including Opaserv, so in fact today brings this to the 3rd reinfection in 4 days... I'll see how it goes tomorrow with Sygate having closed any and all open ports (I usually use ZoneAlarm, but in this case he wants to Internet Share, which Sygate facilitates).

Cheers.

 

Not sure Paul, but I have done a complete search of the registry, found and deleted all files relating to OpaServ, ran 2 removal tools from Nod32 and one from Symantic, everything then came up clean, all 3 times. Rescanned multiple times. Besides, this would not account for reinfection after a clean install of Windows, no system restore available after a format

I just can not see how he is being reinfected and why Nod32 is allowing part of the virus to get past, surely this is the job of Amon to scan and maintain protection of everything outside of the pop3 scanner...

Cheers.

 

Using win98se myself, no system restore here.
Was the first thing i was thinking of too.
I must remember we're in the NOD32 forums now, as i wanted to suggest to try your other new tools (even the eval versions would do) to see if anything is left and monitoring when or with what it happens.

 

Hi Blackspear,
These two links might give you an idea of what is going on with a fresh install of Win 98 "out of the box". This first link is on a project to get infected for a copy of Opaserv.



http://forum.gladiator-antivirus.com/index.php?act=ST&f=10&t=676&s=9f1a469a8e79951ca30b32833c4fb92e


This is why people are getting reinfected.


Subject: Opaserv reinfection possible cause

http://miataru.computing.net/security/wwwboard/forum/3034.html

 

Hi Jooske, don't get me wrong here, I do like TDS-3, but with it making my system into a PIG, my confidence in placing it on a Celeron 400 with 256MB Ram is absolutely ZERO, I want to sort out what it's doing to my system before taking it elsewhere

Cheers.

 

Hi Paul, yes that is one of the 3 cleaners that I used

I have very little hair left after the 3rd infection and they're using my heart to power a nuclear station...

Cheers.

 

Hi Blackspear,

Could you look at our downloads section and grab a copy of startuplist.
Please post the log the program makes. Maybe that will clarify things.

Regards,

Pieter

 

I am not going to suggest you use something else

But I will say there is not just ONE type of Opaserv and some standalone tools do have problems getting them "all.

How many versions of Opaserv at this time ..see this link.


http://forum.gladiator-antivirus.com/index.php?act=ST&f=56&t=690&s=9f1a469a8e79951ca30b32833c4fb92e


You can expect your AV to stop it if you have the OS, AV and firewall setup correctly and if your AV is looking for all the varieties.


But once infected ..it is tough.

 

No worries Pieter, will give it a go, I placed RegCleaner on the system and made sure only things that I know of were in the registry, it also now shows all exisitng files as "Old", so anything new will stand out...

It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection).

Cheers.

 

I will leave you all to it then..but if you go to the links I posted it will explain...as you say


"It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection)."

 

Hi Primrose, I followed the link, it does not explain anything other than showing there are a few variences

I'm one that is happy to continually look, listen and learn

Cheers.

 

More that just a few..is the problem and you will see more coming.

But you should not just rely on the AV in any case with what you know you can and should do to lockdown the OS so that it is not susecptable to Opaserv in the first place and that is why I also posted this link...

Subject: Opaserv reinfection possible cause

http://miataru.computing.net/security/wwwboard/forum/3034.html


And since Opaserv can play havoc with Win 98 start working on that OS so it can not set up shares and do its thing...that is most important.

 

Ahhhh that links much better

Thanks Primrose, I'm trying to get the system as tight as possible, however I'm dealing with dumb and dumber, these people have owned computers for years and they still do NOT know how to copy and paste, what can I say. If I lock it up too tight they won't be able to use it and my phone will run hotter than it already is

Cheers.

 

Hi all,

we experienced that in some cases, when the end user cannot use other means, it could be useful using a quick & dirty trick to avoid Opaserv infections: create "dummy" files with the same name of the files used by Opaserv and then protect them with file attributes.
Here you are a little tool to "immunize" the system against Opaserv

http://www.nod32.it/tools/DFC.ZIP

The program name is "Dummy File Creator" (DFC), and it has the purpose to create a list of files which hinder Opaserv replication through open shares. The configuration file (DFC.INI - a standard INI file) is already set to contain the right list of the files. Anyway, this program is easily customizable to handle whatever list of file names. DFC supports a switch on command line:

/s

if DFC has launched with that parameter on command line, it will work in "silent mode", i.e. it will create the files and then will quit without showing any window to the end user.

Enjoy

ciao,
Paolo.

 

I figured that it was not your system...that is a hard call..do too much and they will think you broke the box
We share in your fustration on that one.

Good Luck and happy holidays,

John

 

Paolo Monti to the rescue ONCE again. WTG I knew we could count on you for solutions as always. That will be a nice Holiday Present for many.

Thank You,
John

 

1) Make sure that Amon is loaded.

2) Make sure that Amon is set to scan on open+create+execute ("Targets" tab).

3) Make sure that nothing is excluded from Amon ("Exclude" tab).

4) Make sure that "Signatures" and "Heuristics" are set ("Methods" tab).

5) Disable sharing of C:\. (type "net share" in a DOS-prompt to see the shares)

6) Visit www.windowsupdate.com and download all available security updates.

Best regards,
Anders
EuroSecure

 

Thanks Paolo. Anders, I have done all of that, I set up Nod32 exactly as you have said on each install.

I now have a greater understanding of how this virus works:

One possible reason why this virus keeps reappearing is due to a protocol built into windows called Router Solicitation. This means that when your ports are open your system sends out its IP address to a mulicast server (log IP 224.0.0.2). This would have been set up by a previous infection. This has the effect of broadcasting your IP to whoever wants to listen (similar to announcing it on a radio - MS knowledge base Q223756).

The virus is then sent back to your system under the various names and you become reinfected, unless your virus scanner picks it up. The cure is to download a file called tweakup (free) from www.homestead.com/tweakup/tweakup.html and run a program called disable IRDP. This amends your registry to turn the transmission off.

This was posted on: http://miataru.computing.net/security/wwwboard/forum/3034.html

Together with Paolo's advice and a Firewall, I hope this mongrel will not reappear

I still would like to know from the Eset Team why Amon is allowing reinfection, as in, how it allows changes in the registry, surely it should stop this?

Cheers.

 

Hey Blackspear,

a virus doesn't write to the registers until it is executed - Amon protects it from being executed - if set up properly - it's possible that user had the settings not correct.

rgds,

jan

 

I'm quite certain that if you still receive infected files, you probably still have your drives shared.

Other possibilities are:
You have an unknown dropper for the Opaserv worm installed. (not likely)
You have a backdoor installed, and someone is dropping Opaserv to your computer. (not likely)

If you have a NT-based system, do the following:
Start -> Run
enter: %comspec% /c net share > c:\share.txt && notepad c:\share.txt
(that SHOULD work
Copy and paste the output to this forum.

If you have Windows 95/98/ME, I can't think of a quick way to show local shares... hmm.. yeah, the registry..
Start -> Run
enter (one line): regedit /e c:\share.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan
Start -> Run
enter: notepad c:\share.txt
Copy and paste the output to this forum.

Best regards,
Anders
EuroSecure

 

Yep, right. Here (I mean, in Italy) we had ITW a dropper of Opaserv, now detected by NOD32.

NET VIEW \\%ComputerName% should work as well.

ciao,
Paolo.