updated 28th May '03
Description: Opasoft (also known as Opaserv, Alevir,
ScrSvr, Brasil, and Marco) was first detected by InVircible
when it tried installing itself to IV protected PCs, revealing
its backdoor driver. Variants of Opasoft use different names
for the driver, among them are Scrsvr, Alevir,
Brasil, Marco!, Instit, Mqbkup
and there could be more.
A highly destructive variant of Opasoft (labelled Opaserv.K
by some AV) was found on the first week of '03. The driver
of that variant is named Mqbkup.exe or Mmstask.exe.
On activation of the payload, the following message will
be displayed, while the first 8 GB on all physical drives
is being overwritten with the message content:
NOTICE: Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright
Act!
Your unauthorized license has been revoked.
For more information, please call us at: 1-888-NOPIRACY
If you are outside the USA, please look up the correct contact
information on our website, at: www.bsa.org Business Software
Alliance Promoting a safe & legal online world.
Opasoft is a 'share aware' worm that propagates through
unprotected or weakly passworded shares, uniquely.
The worm file is copied to the Windows directory on the
victim PC and initialized through one or more of the following
methods: From the registry's machine 'run', by direct call
to the worm driver (Scrsvr, Brasil, Alevir,
Marco!, or Instit.bat) from a 'run' command
in win.ini, or indirectly, by run=c:\tmp.ini, where
tmp.ini calls the worm driver through a 'run=' entry.
As Opasoft is a "monolithic replicator", meaning
that the drop file is forwarded "as is", then
most chances are that the victim PC will also become infected
by older PE viruses, picked on an infected PC en route.
The most common secondary infectors carried by Opasoft are
Funlove, Spaces.1445, Dupator and Pinfi.
Detection: Opasoft is inherently detected by the
startup applications monitor of IV Interceptor, no IV update
is required.
SITES WITH MORE THAN ONE PC PLEAS READ FOLLOWING 5 STEPS:
Opasoft only infects shared system drives, with no
or weak password protection!
1. Therefore, and before anything else, please ensure to
not share the entire system drive, usually C:, with everyone.
If you need to share then please restrict the sharing to
specific directories and resources, but never include the
system in these shares.
2. A possible cause to weak passwording is the 'share level
password' vulnerabilty, existing in unpatched Windows 95,
98, 98SE and ME (see below).
Vulnerabilty, existing in
unpatched Windows 95, 98, 98SE and ME Opaserv randomly
sends password attempts with only one character length to
the victim host machine. If there is a one-byte password
"suggested", the host machine will check only
the first byte of the password. In case the first byte is
correct, the authentication process will be successfully
completed. As a result it is enough to try only all one-byte
passwords for the attacker to exploit vulnerable Win9x &
ME machines. The patch for this vulnerability is available
at: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
3. For advanced users only: Where file sharing is not required
on the Internet, then remove "file and printer sharing"
from the bindings list, in the protocol used to connect
to the web (TCP/IP -> dial-up adapter, or the adapter
that connects to ADSL). If no file sharing is required on
the local network either, then remove the service from the
bindings list of all protocols.
4. Click the link for detailed instructions on how to minimize
the file sharing vulnerability
risks.
5. After having stopped the unnecessary shares, removing
the worm can be done either manually, or automatically,
with InVircible.
Automatic removal with InVircible:
1. First, download IVINIT
from this link to the local hard drive.
2.Restart the computer to MS-DOS (only possible under Win
95/98) and run IVINIT several times from the command prompt,
until you see no more message about removing an Opasoft
Trojan file.
3. Restart Windows and respond with 'yes' when Interceptor
prompts if to remove the inactive remain of Opasoft's initializations.
4. Use the Interceptor 'startup apps list' feature to delete
any and all initializations of Opasoft from the startup
queue. You may need to repeat the deletion of stubborn items
several times until they show no more in the startup queue.
Restart then Windows and finish cleaning the startup queue
without the worm interfering.
To remove manually:
1.Start REGEDIT and delete the key that points to the bogus
driver (Scrsvr, Brasil, Alevir, Marco!) under machine 'run'.
2.Next, open Win.ini with Notepad, or SysEdit and delete
the line(s) that start with 'run=' and contains one of the
worm's driver names.
3. Reboot the computer, and delete any of the following:
Alevir.*, ScrSvr.*, Brasil.*, Marco!.* and C:\tmp.ini, if
found.
©NetZ Computing
Back
