Symantec Security Response - W32.Opaserv.K.Worm W32.Opaserv.K.Worm is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Mqbkup.exe. If you are on a network, or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password. Also, before doing so, if you are using Windows 95/98/Millenium, download and install the Microsoft patch from http://www.microsoft.com/technet/security/bulletin/MS00-072.asp. Also Known As: W32/Opaserv.worm.m [McAfee] Type: Worm Infection Length: 17,408 bytes Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, Unix, Linux CVE References: CVE-2000-0979 technical details W32.Opaserv.K.Worm is a variant of W32.Opaserv.Worm. It is designed to work under the Windows 95/98/Millenium operating systems. When W32.Opaserv.K.Worm runs, it performs the following actions: If the original file name of the worm is not %windir%\Mqbkup.exe, it copies itself as %windir%\Mqbkup.exe and then deletes itself from the original location. It then updates the registry and quits. This will ensure that the worm is executed at the next system startup as %windir%\Mqbkup.exe. NOTE: %windir% is a variable. The worm locates the Windows main installation folder (by default, this is C:\Windows or C:\Winnt) and uses it as a destination folder. The worm creates the "mqbkup61616" mutex. This mutex allows only one instance of the W32.Opaserv.K.Worm to execute in memory. The worm creates the value mqbkup %windir%\mqbkup.exe or qbkupdbs %windir%\mqbkup.exe in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm starts when you start or restart Windows. If the operating system is Windows 95/98/Millenium, the worm registers itself as a service process to continue to run after you log off. The worm may drop an executable C:\boot.exe (3,584 bytes) that shuts down the system and then restarts it. The system is restarted by forcing processes to terminate (any opened documents will be closed without saving their contents). This file is not malicious. The worm may create the file C:\Mslicenf.com, which, if it is run, displays this message: Illegal Microsoft Windows license detected! You are in violation of the Digital Millennium Copyright Act! Your unauthorized license has been revoked. For more information, please call us at: 1-888-NOPIRACY If you are outside the USA, please look up the correct contact information on our website, at: www.bsa.org Business Software Alliance Promoting a safe & legal online world. The worm may then update the contents of the C:\Autoexec.bat file to run the Mslicenf.com file when you start the computer, and then to run C:\boot.exe. As a result, when you restart the computer, it displays the message and then reboots. Then the worm takes an inventory of the network, looking for "C:\" shares. For each share it finds, it attempts to perform these actions: Copies itself to C:\Windows\Mqbkup.exe. Adds the following line to the Win.ini file on the compromised network computer: run=c:\windows\mqbkup.exe To replicate across the network, the worm uses a security vulnerability in Microsoft Windows 95/98/Millenium. It sends single-character passwords to network shares to get access to Windows 95/98/Millenium file shares, without knowing the entire password assigned to the shares. The affected operating systems include: Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Me A patch for computers that run these operating systems can be found at http://www.microsoft.com/technet/security/...in/MS00-072.asp. removal instructions READ THIS FIRST This worm uses a security vulnerability in Microsoft Windows 95/98/Millenium. It sends single-character passwords to network shares to get access to Windows 95/98/Millenium file shares, without knowing the entire password assigned to the shares. The affected systems include Windows 95, 98, and Me. A patch for computers running these operating systems can be found at http://www.microsoft.com/technet/security/...in/MS00-072.asp. If you have not already done so, obtain and install the patch to prevent future infections. If you are on a network, or if you have a full-time connection to the Internet, such as DSL or cable modem, disconnect the computer from the network and the Internet. Disable sharing before you reconnect computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not re-infect the computer after it has been removed, remove all shares, clean all the computers on the network, patch all the systems, and update the definitions on all the computers before you reconnect to the network or re-enable shares. For instructions, refer to your Windows documentation, or the document How to configure shared Windows folders for maximum network protection. If you are removing an infection on a network, first make sure any shares are disabled. These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. Perform the following to remove the W32.Opaserv.K.Worm: 1. Disconnect from the network. 2. Update the virus definitions. 3. Do one of the following: Windows 95/98/Millenium: Restart the computer in Safe mode. Windows NT/2000/XP: Stop the running worm process. 4. Run a full system scan and delete all the files detected as W32.Opaserv.K.Worm. 5. Reverse the changes that the worm made to the registry. 6. For Windows 95/98/Millenium only, delete the line run=c:\windows\mqbkup.exe from the C:\Windows\Win.ini Reversing the changes made to the registry: CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read document, How to make a backup of the Windows registry, for instructions. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit, and then click OK. (The Registry Editor opens.) 3. Navigate to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the following value: mqbkup %windir%\mqbkup.exe or mqbkupdbs %windir%\mqbkup.exe 5. Exit the Registry Editor. Deleting the line that the worm added to the Win.ini file This is necessary on Windows 95/98/Millenium-based computers only. NOTE for Windows Me users only: Due to the file-protection process in Windows Me, a backup copy of the file that you are to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are to edit when you save your changes to that file. 1. Click Start, and then click Run. 2. Type the following, and then click OK. edit c:\windows\win.ini The MS-DOS Editor opens. NOTE: If Windows is installed in a different location, make the appropriate path substitution. 3. In the [windows] section of the file, look for an entry similar to run=c:\windows\mqbkup.exe 4. Select the entire line. Be sure that you have not selected any other text in the file. Then press Delete. 5. Click File, then click Save. 6. Click File, then click Exit.