Discussion in 'malware problems & news' started by Randy_Bell, Jan 31, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Mods: Please note: the following info is not a cut-and-paste from the Trend Micro site, but timely info from Trend Micro Newsletter. The site info contains more detail, under the "technical details" tab for WORM_OPASERV.Q .

    WORM_OPASERV.Q propagates via network shared C:\ drives and downloads an executable file, from a specific Web site. It modifies the registry of its infected systems to allow it to automatically execute at every Windows startup. This worm runs on all Windows platforms.

    Upon execution, this worm deletes the following files from the Windows directory:

    • %Windows%\SCRSVR.EXE

    The above files are the dropped files of earlier variants of this worm.

    After the initialization process, the worm creates three threads that execute concurrently (Infect, Search, and Update). Each thread executes one routine of this worm and uses a separate path of execution.

    The Infect thread is the first thread that this worm creates. It listens for connections from other machines on the same network domain as the infected system, and enables infection of other systems where it has write access in the network.

    The worm utilizes the Share Level Password exploit to infect the network shares. This allows the worm to access password-protected shares in Windows 95, 98, and ME systems.

    The second thread that this worm creates, the Search thread, searches shared network C:\ drives. It searches for machines in the same network domain that has shared C:\ drives and does this repeatedly. Once it has received a reply for the share access request, the first thread connects and the second thread continues to scan the domain for other possible shares to infect.

    The third thread, the Update thread, is responsible for obtaining an updated copy of the worm from a specific Web site. It is also capable of processing commands from the remote Web site. Then, it sends this information using the data stored on the two local files SRV32.DAT and SRVOUT.DAT in the C:\ folder. The files are encrypted to prevent the user of the infected system from tampering or viewing the data. The worm repeats some of the functions in the threads in an infinite loop making the process memory-resident.

    If you would like to scan your computer for WORM_OPASERV.Q or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com

    WORM_OPASERV.Q is detected and cleaned by Trend Micro pattern file #449 and above.
Thread Status:
Not open for further replies.