Opasoft (again)

Quote from Kaspersky:
[hr]
Opasoft Is Back More Dangerous Than Ever
Kaspersky Labs has detected a new modification of the network worm
"Opasoft" (also known as "Opaserv" and "Brasil"). Kaspersky Labs has
already recorded numerous registered infections.

The main distinctions marking this new "Opasoft" modification are that
it is compressed with the UPX file packing utility and encrypted with
the PCPEC utility. The result being the shortened length of the file
bearing the worm and an altered external appearance, however, the worm's
functionality has not changed. The new modification's actions almost
fully correspond to those of the original version.

Kaspersky Anti-Virus is the only anti-virus program that protects
computers from the new Opasoft modification without requiring an update
of anti-virus database signatures.

Archive and compression utilities present considerable problems for
modern computer virology. "This problem is one of the keys in the battle
with new viruses. Virus authors have long known how to, without effort,
outwit anti-virus software and thereby widely use compression and
encryption methods", commented Eugene Kaspersky, Head of Anti-Virus
Research at Kaspersky Labs - "Specifically to respond to this we decided
to find a different path to defend users against each specific virus
modification by supporting utilities used for encryption and
compression."

More detailed information about the "Opasoft" worm and its new modified
version can be found in The Kaspersky Virus Encyclopedia at:
http://www.viruslist.com/eng/viruslist.html?id=52256

 

Quote from that Kaspersky page:
[hr]

Worm.Win32.Opasoft (a.k.a. Opaserv)



The Opasoft network worm virus, also known as "Opaserv" has a backdoor trojan routine. The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB.

The Opasoft worm was first detected at the end of September 2002 - by the beginning of October 2002 it had already caused a global epidemic.


Installation
The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry auto-run key:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%
Opasoft then deletes its original file (from where it was started).


Spreading
In order to find victim computers Opasoft scans subnets for port 137 (NETBIOS Name Service). IP addresses of the following networks are scanned:


current subnet of the infected computer (aa.bb.cc ??)
the two nearest subnets of the currently infected computer (aa.bb.cc.cc+1 ?? , aa.bb.cc-1 ??)

selects subnets randomly (excluding those where scanning is disabled)
If, while searching (scanning) Opasoft happens upon a responding IP address (of an actual computer), the worm then scans the two nearest subnets of that IP address.

When "reply data" is received Opasoft checks a special field contained in it. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.

During infection, Opasoft sends, via port 139 (NETBIOS Session Service) special SMB - packets that transmit the following commands:

sets a connection with the \\hostname\C resource(where "hostname" = the name of the victim computer which is defined when the victim computer answers Opasoft (by sending its "reply data") during the scan)
if the resource is password protected the worm runs through all possible "one symbol" passwords - conducting a "brute-force" attack
If connection is successful, Opasoft transmits its EXE file - during transmission the full name of the destination file containing the code (exe file) is revealed:

WINDOWS\scrsvr.exe

Opasoft then reads the Windows\win.ini file on the victim machine and copies (saves) it to the local disk (of the remote computer) under the name:

C:\TMP.INI

to this C:\TMP.INI file the worm copies the auto run command that is placed in the victim computer's Windows system directory upon being sent back to the victim computer.
To receive the packets from the remote computer two files appear on the victim machine:


\WINDOWS\scrsvr.exe - a copy of the Opasoft worm
\WINDOWS\win.ini - A Windows INI file which contains the auto-run command (to "auto-run" the Opasoft worm)
The second file, win.ini, results in Opasoft gaining control of the victim computer upon system restart.

Password Exploit

To get passwords needed to gain access to victim machines, the worm uses the security breach "share level password exploit". For a detailed description of this exploit please click the following address: http://www.nsfocus.com/english/homepage/sa_05.htm

The worm programmatically "suggests" a password field with only one character length to the victim host. When there is a one-byte password "suggested", the host will check only the first byte of the password. In case the first byte is correct, the autification process will be successfully passed. As a result it is enough to try only all one-byte passwords for the attacker to exploit vulnerable Win9x machines. The patch for this vulnerability is available at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

Backdoor

The backdoor routine goes to the wwx.opasoft.xxxx WEB-site and performs the following actions:

downloads and executes its latest version (if there is one)
downloads and processes script files placed at this site
New worm versions are downloaded to the file "scrupd.exe". This file is then run, and replaces the existing worm copy.

While processing the backdoor it uses its data files: "ScrSin.dat" and "ScrSout.dat". These files are encrypted with a strong crypto-algorythm.

Because the server at www.opasoft.com is down, it is not possible to get more information about this backdoor routine.


Technical Details
To avoid double twice on the same machine the worm creates a "Windows mutex" under the "ScrSvr31415" name.

Win9x machines are infectable while the infectinon of WinNT machines is highly unlikely and almost impossible.

One of worm versions writes log data about scanned and infected machines to the "ScrLog" and "ScrLog2" files.

Removal
The worm caused a global epidemic and hit many Win9x systems because of following reasons:

it spreads using the standard NETBIOS protocol
the "\\hostname\C" resource name is the default name on opening a share on C: drive
there is no request for a password on share opening
many users don't pay enough attention to password length and security
To get rid of the worm and to avoid reinfection it is necessary to:

disable file sharing, or apply safe enough password to opened shares
delete infected EXE file
remove worm's "run" commands from WIN.INI file and system registry (see above)


--------------------------------------------------------------------------------


Worm.Win32.Opasoft.a (a.k.a. Brasil)
Opasoft.a, also known as "Brazil".is a new variant of the "Opasoft" worm.

The differences are:


The original "Opasoft.a" worm is not compressed. The "Brasil" variant is encrypted by the "PCPEC" PE EXE file encryption utility and then compressed by the "UPX" PE EXE files compression tool.

The text strings are patched. For example, the following strings are replaced:

"ScrSvr", "ScrSin" -> "Brasil"
"ScrSout" -> "Brasil!"
"scrupd" -> "puta!!"
"wwx.opasoft.xxxx" -> wwx.n3t.xxxx.xxxx

As a result the "Brasil" modification behaves a bit differently, however the spreading and backdoor routines are exactly the same as with the original worm variant.

Installation

The Opasoft.a worm installs itself to the Windows directory under the name "brasil.exe" or "brasil.pif" (depending on the "Brasil" patch variant) and registers this file in the auto-run registry key:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run Brasil = %worm name%
Spreading
While infecting remote computers the Opasoft.a worm uploads itself under the "brasil.exe" or "brasil.pif" name, and writes a corresponding string to a remote WIN.INI file.

Backdoor

The backdoor routine goes to the wwx.n3t.xxxx.xxxx WEB-site and performs the following actions:

it downloads and executes its new version (if there is one) from this site
it downloads and processes script files placed at this site

 

Thanks for the info Jan.
I noticed my log was filling up with UDP 137 again and was wondering why.
Now I know.

 

Hi Root,

You're welcome!

In the meanwhile I have edited some of the links (put some xxxx in there); I should have done that from the beginning, sorry!

 

And what does Andrea think about that it is compressed with the UPX file packing utility and encrypted with the PCPEC utility. The result being the shortened length of the file bearing the worm and an altered external appearance, however, the worm's functionality has not changed. The new modification's actions almost fully correspond to those of the original version. And that only Kasperansky detects it without new updates?

 

hey guys,

So how can we dectect this new worm? Cuz i knew someone who was infected by this worm earlier today, and it was this verions of opasoft.. it was caught by norton and was deleted from the computer. Ne one got ne removal tools?

wasabi

 

I have a question about the original Opasoft.
I run windows 98se with print and file sharing disabled, and netbios closed on outpost free.
This morning I ran spybot, after connecting to the internet, and only usage tracks showed. I ran a spybot update (almost immediately), and again scanned. It alerted me to Opasoft. I looked in explorer, and sure enough, there was a folder: windows\scrsvr.exe. It was empty. I deleted it manually. Spider guard had not given an alert. I ran Dr.Web and Opaclean. Both showed me clean of any infection from Opasoft.
Does any one have any idea how or why I got that opasoft folder. And am I still at risk?
Thank you
Scotcov

 

Hi Scotcov,

You said "I looked in explorer, and sure enough, there was a folder: windows\scrsvr.exe."

I am confused on the words" folder"...and then it was empty.

In windows you can not have a file folder by that name...and if it was anything else besides a folder the extension ( like .exe, .com , .txt ) would be not a folder but a icon...then you deleted "IT" manually.


I know I am missing something here...what is it?


Is it a file folder called "scrsvr.exe" ?

 

Hi Primrose.

"Is it a file folder called "scrsvr.exe" ?"
Yes! It was actually a folder in the windows directory with an .exe extension. I clicked on the folder and it was empty. What seems strange to me also is that it seemed to come from the Spybot update. I absolutely did not have that folder before the update!

Scotcov

 

Hi Scotcov,

Yes..we are both thinking the same thing here ..that it was spybot...maybe a hickup..I was also trying to figure out if maybe you had downloaded some type of cleaning tool for this bad boy ,just to be safe at on time recently, and ended up with a legit folder..but I do not know any that are like that...Hey this is a nice mystery ;-)..I am sure you are using the new spybot 1.1..hmmm.

That sure is a strange name for a folder.

 

Maybe it is one of those neat tricks where if you have a folder called scrsvr.exe in the same place where the real Opasoft wants to give you the "scrsvr.exe" infection the folder will stop it or alert you??

 

I think you figured it out Primrose! I had also just newly run the detector and cleaner Opaclean when all this started. Anyway, after your post I checked for the scrsvr.exe folder. It wasn't there. I ran Opaclean, and asked to be immunized. The folder appeared! Another great mystery solved.....I hope.
Boy, is security fun.

 

BTW, this also explains why Dr.Web didn't catch it: there was nothing in reality to catch. And it also clears Spybot. In fact, it makes it look even better.
Everyone should stick to products Wilders recommends!
They're great!

Scotcov

 

Hey we did it ...good going Now we have an answer for others also.

 

hey paul,

The link to the direct link for downloading the Opasoft removal utility does not work.

YODA

 

You gotta keep a close eye on me ... I change links without warning to keep ahead of changing times.

Speaking of links ... check out http://www.nod32.com.au/nod32/about/bathurst.htm

Life in the FAST lane !!!

 

Great engine! Back in the 1980s I came very close to buying a Countach replica with a supercharged Rover 3500 engine. It was actually faster than a genuine Countach. I ended up getting a hot Volvo 740 Turbo instead ... kinda hard to fit two growing daughters and a wife in a Countach. )

 

hey guys,

Yep that was the link i was refering too LowWaterMark, sorry for not being specific, thanks for the new link.

YODA