Two FREE TOOLS to clean W32/Opasoft.A

Discussion in 'malware problems & news' started by Primrose, Oct 3, 2002.

Thread Status:
Not open for further replies.
  1. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    VSantivirus no. 817 - Year 6 - Wednesdays 2 of October 2002

    W32/Opasoft.A. One propagates through port 139
    http://www.vsantivirus.com/opasoft-a.htm

    Name: W32/Opasoft.A
    Type: Worm of Internet
    Alias: W32.Opaserv.Worm, W95/Scrup.worm, Worm_Opasoft.a, W32/Opasoft-A, OpaSoft, Worm/OpaSoft, BackDoor-ALB, Backdoor.Opasoft, Bck/Opasoft, Worm.Win32.Opasoft, WORM_OPASOFT, WORM_OPASOFT.A, W32/Opaserv.worm, W32/Opaserv-A, Win32.Opaserv, W32/Scrup.worm, Worm.Win32.Opasoft.a, Opasoft, Scrup
    Date: 30/set/02
    Size: 28.672 bytes
    Platform: Windows 32-bits
    Tools to clear the W32/Opasoft.A of an infected system
    Although some manufacturers have not catalogued it of a as high level of alarm as the Bugbear, we we have not had reports of the same one nor have inquired to us either from Spain, except for the alert of Panda. And in addition, a antivirus salesman has at least said that the single worm could propagate in machines with Windows 95, 98 and Me, and not in NT, 2000 or XP. This has not been corroborated.

    This worm has the capacity to propagate through shared resources in networks of used computers port 139 (NetBios, NETBeui). If its computer has activates the option "To share printers and archives for Microsoft networks", it could be acceded through Internet, and therefore be infected with this worm. Nevertheless, some manufacturers say that I scan single makes it in internal networks.

    When the worm executes itself, the same copy with the name of SCRSVR.EXE in each remote computer.

    Also www.opasoft.com has the ability to unload updates of the site, which has been terminated.

    In an infected computer, some (or all) can exist the following archives (depending if the infection has been local or through the network):

    C:\ScrSin.dat
    C:\ScrSout.dat
    C:\tmp.ini
    C:\Windows\ScrSvr.exe

    Once active in memory, the worm registers itself like a process that in repetitive form scans the network in search of other connected machines, increasing the value of the last octeto of direction IP of the present machine:

    Example:

    IP of the computer:
    Searches: 169.254.233.48
    169.254.233.49, 169,254,233,50, etc...

    Soon it obtains the names and directions IP of the found machines, and sends this information to the site of unloading mentioned before.

    A manufacturer informs that also she could look for machines in Internet with shared resources qualified. Tests have not become on the matter.

    Soon, it will verify the existence of the following entrance in the registry of the machine:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ScrSvrOld = C:\tmp.ini

    If this value exists, the worm flock file C:\TMP.INI

    If the value does not exist, then the presence of the following value is examined:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ScrSvr = C:\Windows\ScrSvr.exe

    In all the cases, ' C:\Windows' can vary according to the installed operating system (with that name by defect in Windows 9x and XP, and like ' C:\WinNT in Windows NT/2000).[/me]

    If "ScrSvr = C:\Windows\ScrSvr.exe" does not exist, the worm adds it to the key mentioned one (that will do that the worm autoejecute in each resumption of Windows).

    Soon, it will verify if it is being executed from C:\Windows\ScrSvr.exe

    If the answer is no, then it will be copied to if same with this name in that folder and it will be added to the mentioned registry.

    After the verification of the values of the registry and the location if same, the worm looks for if another instance if same exists executing itself, looking for mutex call "ScrSvr31415" (mutex is a used object to control the access to any type of resources like programs and applications, and to avoid that more of a process it accedes at the same time to the same resource).

    If there is no assets, the worm registers itself to if same like a process (under Windows 9x and Me), or elevates the priority of the present process (Windows NT, 2000 and XP).

    The worm will enumerate the shared resources like "C \" that finds in the network (configuration by defect when sharing resources from C drive: \ with the network), and in each found resource, that it has the respective rights of writing, it will be copied to if same like:

    C\Windows\scrsvr.exe

    For it it uses SMB (Server Message Block Protocol) , communication protocol that uses the operating systems based on MS-Windows to accede to the shared resources of a network, through port 139 (NetBeui in Microsoft systems Windows).

    Also it will modify file WIN.INI (under the label [ Windows ]), to include the following entrance:

    run = C:\tmp.ini

    Soon it will create the file "C:\tmp.ini" , which contains the following text:

    run=C:\windows\scrsvr.exe

    That way, when beginning the computer, will execute WIN.INI (C:\Windows\Win.ini) and SCRSVR.EXE soon , that is the own worm.

    The worm has the car ability to update itself when connecting itself to the site mentioned before. For it it tries to unload and to execute the file "scrupd.exe" . At the moment this site has been terminated.

    Like part of the preparations for this update, the worm creates archives SCRSIN.DAT and SCRSOUT.DAT in the root of C: \

    In order to avoid his propagation through shared resources in networks, it is advised not to maintain these formed without authentication by means of passwords.

    Notice that according to a manufacturer of antivirus at least, his computer, to have active the option "To share printers and archives for Microsoft networks" , it could be acceded through Internet, and infected with this worm.

    In order to avoid it, in a domestic system, deshabilite the option "To share printers and archives for Microsoft networks" as it is indicated in this article (advises single in Windows 95, 98 and Me):

    Like deshabilitar to share archives with TCP/IP
    http://www.vsantivirus.com/compartir.htm

    Or it uses fire-resistant ones like ZoneAlarm:
    http://www.vsantivirus.com/za.htm


    Tools to clear the W32/Opasoft.A of an infected system

    In order to eliminate this worm of an infected system, the following tools are suggested:

    W32.Opaserv.Worm Removal Tool (Symantec) (156 Kb)

    http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

    PQRemove (Bulging) (1,2 Mb)

    http://www.pandasoftware.es/library/pqremove_en.htm
     
  2. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Free Tools to Clean Opaserv/BugBear

    :D I would like to redirect you all to this thread for good cleaning tools from NOD32.

    Do not leave home without them ;)

    ______________
    Hi all,

    As you know, these two worms are quite ITW. NOD32 intercepts them without any problem, anyway some people in the Eset team worlwide released dedicated cleaners to handle these two beasts on infected computers. Here you are the URL useful to download an up-to-date version of the cleaners (in English):
    ciao,
    Paolo.

    http://www.wilderssecurity.com/showthread.php?t=4443
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    For most of these tools when cleaning Opasoft, try to do it in the safe mode and also...


    NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed because Windows prevents System Restore from being modified by outside programs. Because of this, the removal tool might fail.


    Try this with screenshots...

    In Windows Millenium there was a new feature introduced called System Restore. The new Windows XP has this feature. It creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes disinfection difficult as backup files can get infected and copied to System Restore folder by Windows. Then after disinfection Windows will copy the infected file back over the clean ones.





    NAME: Disabling System Restore on Windows ME
    ALIAS: Disabling Windows ME AutoRestore feature

    http://www.europe.f-secure.com/v-descs/sfc_dis.shtml


    NAME: Disabling System Restore on Windows XP
    ALIAS: Disabling Windows XP AutoRestore feature


    http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml


    In that process you can then delete those files reboot and start again from today to again start a new system restore log without the "BadBoys".
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Primrose,

    The links you gave both get redirected to http://www.f-secure.com/ where shortsighted little me :D can´t find the pages you want us to find. Could you help out?

    Regards,

    Pieter
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    We did this before..thanks Pieter.. this time I will keep the good links. :D
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
Loading...
Thread Status:
Not open for further replies.