OpaServ - Grrrrrrrrrrr

Discussion in 'NOD32 version 1 Forum' started by Blackspear, Dec 16, 2002.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    This is bugging the hell out of me, I've cleaned a PC twice now, gone into the registry totally removed OpaServ and all it's variances through the following;

    1. Disconnected computer from the Internet and LAN.

    2. Booted to safe mode

    3. Ran both of the NOD32 Opaserv cleaners from http://www.nod32.com.au

    4. Checked win.ini for any unusual references after run=

    5. Check registry and delete the values: ScrSvr %windir%\ScrSvr.exe and ScrSvrOld <original worm name> from the registry key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    6. Manually search for and delete the files .....
    scrsvr.*
    brasil.*
    marco*.*
    put.ini
    alevir.*

    This time around I put on Sygate as the firewall, rescaned with Nod32, it came up all clean.

    My Question to the Eset Team: Why is Nod32 allowing reinfection and changes to the registry to occur. Nod32 deletes the inffection upon detection, but still allows the registry to be altered, thus upon reboot heaps of messages appear: missing brasil... missing put.ini...etc, etc.

    I have told this person to stop using webmail and use a pop3 account that I have set up.

    Your help would be appreciated, I simply do not understand why Nod32 is allowing part of the virus to get past...

    Cheers.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Blackspear,

    What O/S are we talking about here?

    regards.

    paul
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Paul, in this case Windows 98SE fresh install after first infection of multiple viruses including Opaserv, so in fact today brings this to the 3rd reinfection in 4 days... I'll see how it goes tomorrow with Sygate having closed any and all open ports (I usually use ZoneAlarm, but in this case he wants to Internet Share, which Sygate facilitates).

    Cheers.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Blackspear,

    Doesn't SE use System Restore? That might be the culprit here.

    regards.

    paul
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Not sure Paul, but I have done a complete search of the registry, found and deleted all files relating to OpaServ, ran 2 removal tools from Nod32 and one from Symantic, everything then came up clean, all 3 times. Rescanned multiple times. Besides, this would not account for reinfection after a clean install of Windows, no system restore available after a format :D

    I just can not see how he is being reinfected and why Nod32 is allowing part of the virus to get past, surely this is the job of Amon to scan and maintain protection of everything outside of the pop3 scanner...

    Cheers.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Using win98se myself, no system restore here.
    Was the first thing i was thinking of too.
    I must remember we're in the NOD32 forums now, as i wanted to suggest to try your other new tools (even the eval versions would do) to see if anything is left and monitoring when or with what it happens.
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Blackspear,

    Did you give Paolo Monti's updated cleaner a go?

    regards.

    paul
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jooske, don't get me wrong here, I do like TDS-3, but with it making my system into a PIG, my confidence in placing it on a Celeron 400 with 256MB Ram is absolutely ZERO, I want to sort out what it's doing to my system before taking it elsewhere :D

    Cheers.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Paul, yes that is one of the 3 cleaners that I used :D

    I have very little hair left after the 3rd infection and they're using my heart to power a nuclear station... :D

    Cheers.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Blackspear,

    Could you look at our downloads section and grab a copy of startuplist.
    Please post the log the program makes. Maybe that will clarify things.

    Regards,

    Pieter
     
  12. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I am not going to suggest you use something else :D

    But I will say there is not just ONE type of Opaserv and some standalone tools do have problems getting them "all.

    How many versions of Opaserv at this time o_O..see this link.


    http://forum.gladiator-antivirus.com/index.php?act=ST&f=56&t=690&s=9f1a469a8e79951ca30b32833c4fb92e


    You can expect your AV to stop it if you have the OS, AV and firewall setup correctly and if your AV is looking for all the varieties.


    But once infected ..it is tough.
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No worries Pieter, will give it a go, I placed RegCleaner on the system and made sure only things that I know of were in the registry, it also now shows all exisitng files as "Old", so anything new will stand out...

    It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection).

    Cheers.
     
  14. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I will leave you all to it then..but if you go to the links I posted it will explain...as you say


    "It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection)."
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Primrose, I followed the link, it does not explain anything other than showing there are a few variences o_O

    I'm one that is happy to continually look, listen and learn :D

    Cheers.
     
  16. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    More that just a few..is the problem and you will see more coming.

    But you should not just rely on the AV in any case with what you know you can and should do to lockdown the OS so that it is not susecptable to Opaserv in the first place and that is why I also posted this link...

    Subject: Opaserv reinfection possible cause

    http://miataru.computing.net/security/wwwboard/forum/3034.html


    And since Opaserv can play havoc with Win 98 start working on that OS so it can not set up shares and do its thing...that is most important.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ahhhh that links much better :D

    Thanks Primrose, I'm trying to get the system as tight as possible, however I'm dealing with dumb and dumber, these people have owned computers for years and they still do NOT know how to copy and paste, what can I say. If I lock it up too tight they won't be able to use it and my phone will run hotter than it already is :(

    Cheers.
     
  18. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Hi all,

    we experienced that in some cases, when the end user cannot use other means, it could be useful using a quick & dirty trick to avoid Opaserv infections: create "dummy" files with the same name of the files used by Opaserv and then protect them with file attributes.
    Here you are a little tool to "immunize" the system against Opaserv

    http://www.nod32.it/tools/DFC.ZIP

    The program name is "Dummy File Creator" (DFC), and it has the purpose to create a list of files which hinder Opaserv replication through open shares. The configuration file (DFC.INI - a standard INI file) is already set to contain the right list of the files. Anyway, this program is easily customizable to handle whatever list of file names. DFC supports a switch on command line:

    /s

    if DFC has launched with that parameter on command line, it will work in "silent mode", i.e. it will create the files and then will quit without showing any window to the end user.

    Enjoy ;)

    ciao,
    Paolo.
     
  19. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    I figured that it was not your system...that is a hard call..do too much and they will think you broke the box :eek:
    We share in your fustration on that one.

    Good Luck and happy holidays,

    John
     
  20. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Paolo Monti to the rescue ONCE again. WTG ;) I knew we could count on you for solutions as always. That will be a nice Holiday Present for many.

    Thank You,
    John
     
  21. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    1) Make sure that Amon is loaded.

    2) Make sure that Amon is set to scan on open+create+execute ("Targets" tab).

    3) Make sure that nothing is excluded from Amon ("Exclude" tab).

    4) Make sure that "Signatures" and "Heuristics" are set ("Methods" tab).

    5) Disable sharing of C:\. (type "net share" in a DOS-prompt to see the shares)

    6) Visit www.windowsupdate.com and download all available security updates.

    Best regards,
    Anders
    EuroSecure
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Paolo. Anders, I have done all of that, I set up Nod32 exactly as you have said on each install.

    I now have a greater understanding of how this virus works:

    One possible reason why this virus keeps reappearing is due to a protocol built into windows called Router Solicitation. This means that when your ports are open your system sends out its IP address to a mulicast server (log IP 224.0.0.2). This would have been set up by a previous infection. This has the effect of broadcasting your IP to whoever wants to listen (similar to announcing it on a radio - MS knowledge base Q223756).

    The virus is then sent back to your system under the various names and you become reinfected, unless your virus scanner picks it up. The cure is to download a file called tweakup (free) from www.homestead.com/tweakup/tweakup.html and run a program called disable IRDP. This amends your registry to turn the transmission off.

    This was posted on: http://miataru.computing.net/security/wwwboard/forum/3034.html

    Together with Paolo's advice and a Firewall, I hope this mongrel will not reappear :mad:

    I still would like to know from the Eset Team why Amon is allowing reinfection, as in, how it allows changes in the registry, surely it should stop this?

    Cheers.
     
  23. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hey Blackspear,

    a virus doesn't write to the registers until it is executed - Amon protects it from being executed - if set up properly - it's possible that user had the settings not correct.

    rgds, :)

    jan
     
  24. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    I'm quite certain that if you still receive infected files, you probably still have your drives shared.

    Other possibilities are:
    You have an unknown dropper for the Opaserv worm installed. (not likely)
    You have a backdoor installed, and someone is dropping Opaserv to your computer. (not likely)

    If you have a NT-based system, do the following:
    Start -> Run
    enter: %comspec% /c net share > c:\share.txt && notepad c:\share.txt
    (that SHOULD work ;)
    Copy and paste the output to this forum.

    If you have Windows 95/98/ME, I can't think of a quick way to show local shares... hmm.. yeah, the registry..
    Start -> Run
    enter (one line): regedit /e c:\share.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan
    Start -> Run
    enter: notepad c:\share.txt
    Copy and paste the output to this forum.

    Best regards,
    Anders
    EuroSecure
     
  25. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Yep, right. Here (I mean, in Italy) we had ITW a dropper of Opaserv, now detected by NOD32.

    NET VIEW \\%ComputerName% should work as well.

    ciao,
    Paolo.
     
Thread Status:
Not open for further replies.