Opasoft (again)

Discussion in 'malware problems & news' started by FanJ, Oct 21, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Quote from Kaspersky:
    [hr]
    Opasoft Is Back More Dangerous Than Ever
    Kaspersky Labs has detected a new modification of the network worm
    "Opasoft" (also known as "Opaserv" and "Brasil"). Kaspersky Labs has
    already recorded numerous registered infections.

    The main distinctions marking this new "Opasoft" modification are that
    it is compressed with the UPX file packing utility and encrypted with
    the PCPEC utility. The result being the shortened length of the file
    bearing the worm and an altered external appearance, however, the worm's
    functionality has not changed. The new modification's actions almost
    fully correspond to those of the original version.

    Kaspersky Anti-Virus is the only anti-virus program that protects
    computers from the new Opasoft modification without requiring an update
    of anti-virus database signatures.

    Archive and compression utilities present considerable problems for
    modern computer virology. "This problem is one of the keys in the battle
    with new viruses. Virus authors have long known how to, without effort,
    outwit anti-virus software and thereby widely use compression and
    encryption methods", commented Eugene Kaspersky, Head of Anti-Virus
    Research at Kaspersky Labs - "Specifically to respond to this we decided
    to find a different path to defend users against each specific virus
    modification by supporting utilities used for encryption and
    compression."

    More detailed information about the "Opasoft" worm and its new modified
    version can be found in The Kaspersky Virus Encyclopedia at:
    http://www.viruslist.com/eng/viruslist.html?id=52256
     
  2. FanJ

    FanJ Guest

    Quote from that Kaspersky page:
    [hr]

    Worm.Win32.Opasoft (a.k.a. Opaserv)



    The Opasoft network worm virus, also known as "Opaserv" has a backdoor trojan routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.

    The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global epidemic.


    Installation
    The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry auto-run key:


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ScrSvr = %worm name%
    Opasoft then deletes its original file (from where it was started).


    Spreading
    In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned:


    current subnet of the infected computer (aa.bb.cc ??)
    the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)

    selects subnets randomly (excluding those where scanning is disabled)
    If, while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.

    When "reply data" is received Opasoft checks a special field contained in it. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.

    During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:

    sets a connection with the \\hostname\C resource(where "hostname" = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its "reply data") during the scan)
    if the resource is password protected the worm runs through all possible "one symbol" passwords - conducting a "brute-force" attack
    If connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed:

    WINDOWS\scrsvr.exe

    Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:

    C:\TMP.INI

    to this C:\TMP.INI file the worm copies the auto run command that is placed in the victim computer's Windows system directory upon being sent back to the victim computer.
    To receive the packets from the remote computer two files appear on the victim machine:


    \WINDOWS\scrsvr.exe - a copy of the Opasoft worm
    \WINDOWS\win.ini - A Windows INI file which contains the auto-run command (to "auto-run" the Opasoft worm)
    The second file, win.ini, results in Opasoft gaining control of the victim computer upon system restart.

    Password Exploit

    To get passwords needed to gain access to victim machines, the worm uses the security breach "share level password exploit". For a detailed description of this exploit please click the following address: http://www.nsfocus.com/english/homepage/sa_05.htm

    The worm programmatically "suggests" a password field with only one character length to the victim host. When there is a one-byte password "suggested", the host will check only the first byte of the password. In case the first byte is correct, the autification process will be successfully passed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

    Backdoor

    The backdoor routine goes to the wwx.opasoft.xxxx WEB-site and performs the following actions:

    downloads and executes its latest version (if there is one)
    downloads and processes script files placed at this site
    New worm versions are downloaded to the file "scrupd.exe". This file is then run, and replaces the existing worm copy.

    While processing the backdoor it uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.

    Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.


    Technical Details
    To avoid double twice on the same machine the worm creates a "Windows mutex" under the "ScrSvr31415" name.

    Win9x machines are infectable while the infectinon of WinNT machines is highly unlikely and almost impossible.

    One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.

    Removal
    The worm caused a global epidemic and hit many Win9x systems because of following reasons:

    it spreads using the standard NETBIOS protocol
    the "\\hostname\C" resource name is the default name on opening a share on C: drive
    there is no request for a password on share opening
    many users don't pay enough attention to password length and security
    To get rid of the worm and to avoid reinfection it is necessary to:

    disable file sharing, or apply safe enough password to opened shares
    delete infected EXE file
    remove worm's "run" commands from WIN.INI file and system registry (see above)


    --------------------------------------------------------------------------------


    Worm.Win32.Opasoft.a (a.k.a. Brasil)
    Opasoft.a, also known as "Brazil".is a new variant of the "Opasoft" worm.

    The differences are:


    The original "Opasoft.a" worm is not compressed. The "Brasil" variant is encrypted by the "PCPEC" PE EXE file encryption utility and then compressed by the "UPX" PE EXE files compression tool.

    The text strings are patched. For example, the following strings are replaced:

    "ScrSvr", "ScrSin" -> "Brasil"
    "ScrSout" -> "Brasil!"
    "scrupd" -> "puta!!"
    "wwx.opasoft.xxxx" -> wwx.n3t.xxxx.xxxx

    As a result the "Brasil" modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.

    Installation

    The Opasoft.a worm installs itself to the Windows directory under the name "brasil.exe" or "brasil.pif" (depending on the "Brasil" patch variant) and registers this file in the auto-run registry key:


    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Brasil = %worm name%
    Spreading
    While infecting remote computers the Opasoft.a worm uploads itself under the "brasil.exe" or "brasil.pif" name, and writes a corresponding string to a remote WIN.INI file.

    Backdoor

    The backdoor routine goes to the wwx.n3t.xxxx.xxxx WEB-site and performs the following actions:

    it downloads and executes its new version (if there is one) from this site
    it downloads and processes script files placed at this site
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Thanks for the info Jan.
    I noticed my log was filling up with UDP 137 again and was wondering why.
    Now I know.
     
  4. FanJ

    FanJ Guest

    Hi Root,

    You're welcome! ;)

    In the meanwhile I have edited some of the links (put some xxxx in there); I should have done that from the beginning, sorry!
     
  5. controler

    controler Guest

    And what does Andrea think about that it is compressed with the UPX file packing utility and encrypted with the PCPEC utility. The result being the shortened length of the file bearing the worm and an altered external appearance, however, the worm's functionality has not changed. The new modification's actions almost fully correspond to those of the original version. And that only Kasperansky detects it without new updates?
     
  6. wasabi

    wasabi Guest

    hey guys,

    So how can we dectect this new worm? Cuz i knew someone who was infected by this worm earlier today, and it was this verions of opasoft.. it was caught by norton and was deleted from the computer. Ne one got ne removal tools?

    wasabi
     
  7. Scotcov

    Scotcov Guest

    I have a question about the original Opasoft.
    I run windows 98se with print and file sharing disabled, and netbios closed on outpost free.
    This morning I ran spybot, after connecting to the internet, and only usage tracks showed. I ran a spybot update (almost immediately), and again scanned. It alerted me to Opasoft. I looked in explorer, and sure enough, there was a folder: windows\scrsvr.exe. It was empty. I deleted it manually. Spider guard had not given an alert. I ran Dr.Web and Opaclean. Both showed me clean of any infection from Opasoft.
    Does any one have any idea how or why I got that opasoft folder. And am I still at risk?
    Thank you
    Scotcov
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Scotcov,

    Actually: no, other than your system could have been infected before updating the virus database.

    Dr.Web and the cleaning tool would certainly have grabbed it.

    regards.

    paul
     
  9. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Scotcov,

    You said "I looked in explorer, and sure enough, there was a folder: windows\scrsvr.exe."

    I am confused on the words" folder"...and then it was empty.

    In windows you can not have a file folder by that name...and if it was anything else besides a folder the extension ( like .exe, .com , .txt ) would be not a folder but a icon...then you deleted "IT" manually.


    I know I am missing something here...what is it?


    Is it a file folder called "scrsvr.exe" ?
     
  10. Scotcov

    Scotcov Guest

    Hi Primrose.

    "Is it a file folder called "scrsvr.exe" ?"
    Yes! It was actually a folder in the windows directory with an .exe extension. I clicked on the folder and it was empty. What seems strange to me also is that it seemed to come from the Spybot update. I absolutely did not have that folder before the update!

    Scotcov
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Scotcov,

    :D Yes..we are both thinking the same thing here ..that it was spybot...maybe a hickup..I was also trying to figure out if maybe you had downloaded some type of cleaning tool for this bad boy ,just to be safe at on time recently, and ended up with a legit folder..but I do not know any that are like that...Hey this is a nice mystery ;-)..I am sure you are using the new spybot 1.1..hmmm.

    That sure is a strange name for a folder.
     
  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Maybe it is one of those neat tricks where if you have a folder called scrsvr.exe in the same place where the real Opasoft wants to give you the "scrsvr.exe" infection the folder will stop it or alert youo_O?? :)
     
  13. Scotcov

    Scotcov Guest

    :D I think you figured it out Primrose! I had also just newly run the detector and cleaner Opaclean when all this started. Anyway, after your post I checked for the scrsvr.exe folder. It wasn't there. I ran Opaclean, and asked to be immunized. The folder appeared! Another great mystery solved.....I hope.
    Boy, is security fun.
     
  14. Scotcov

    Scotcov Guest

    BTW, this also explains why Dr.Web didn't catch it: there was nothing in reality to catch. And it also clears Spybot. In fact, it makes it look even better.
    Everyone should stick to products Wilders recommends!
    They're great!

    Scotcov
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hey we did it ...good going ;) Now we have an answer for others also.
     
  16. yodafan

    yodafan Guest

    hey paul,

    The link to the direct link for downloading the Opasoft removal utility does not work.

    YODA
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,838
    Location:
    New England
    Yoda,

    Are you talking about the link from the Wilders.org "Free Tools" Page?

    http://www.wilders.org/free_tools.htm
    Yes, that link is broken and we'll need to fix that page. Thanks for bring it to our attention. :)

    It would appear that the Australian NOD32 site has changed its references to the cleaning tool. But, they have linked another at their main page in the meantime:

    http://www.nod32.com.au/

    Best Wishes,
    LowWaterMark
     
  18. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia

    You gotta keep a close eye on me ... I change links without warning to keep ahead of changing times. :)

    Speaking of links ... check out http://www.nod32.com.au/nod32/about/bathurst.htm

    Life in the FAST lane !!!
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the heads up!

    Nice car, btw. Personally, I do prefer my vintage Rover PII 3500S though :D )

    regards.

    paul
     
  20. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Great engine! Back in the 1980s I came very close to buying a Countach replica with a supercharged Rover 3500 engine. It was actually faster than a genuine Countach. I ended up getting a hot Volvo 740 Turbo instead ... kinda hard to fit two growing daughters and a wife in a Countach. :))
     
  21. yodafan

    yodafan Guest

    hey guys,

    Yep that was the link i was refering too LowWaterMark, sorry for not being specific, thanks for the new link.

    YODA
     
Loading...
Thread Status:
Not open for further replies.