WORM_OPASERV.T

Malware type: Worm

Aliases: Net-Worm.Win32.Opasoft.l (Kaspersky), W32/Opaserv.worm.w (McAfee), W32.Opaserv.G.Worm (Symantec), Worm/OpaSoft.H (Avira), W32/Opaserv-O (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This destructive, memory-resident worm, a member of the OPASERV family of worms, propagates via shared network drives. Its destructive payloads are executed when the system date is between December 24 to 31 or when the year is greater than 2002.

This worm deletes files, overwrites the boot sector and destroys the CMOS, a critical system element which holds hardware configuration and initialization settings. These payloads leave infected systems practically unusable.

It also modifies the registry and the configuration file, WIN.INI, so that it automatically executes every Windows startup. It utilizes a known exploit that enables malicious users to access shared drives, as discussed in a security bulletin from Microsoft.

For additional information about this threat, see:

Description created: Apr. 30, 2003 7:27:29 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 32,771 Bytes (PEC compressed)

Initial samples received on: Apr 30, 2003

Variant ofWORM_OPASERV.M

Details:

Arrival and Installation

This destructive, memory-resident worm usually arrives as a PE Compact compressed file. Upon execution, it drops the following files in the default Windows folder and then deletes the original file that was executed:

  • msload.exe
  • scr.scr
  • winsrv.exe

This worm modifies the Windows configuration file, WIN.INI, to mark its execution. It creates an [msappfont] section and adds lines that begin with "value=," "fonts=," and "styles=" under this section, where it places corresponding values based on the ASCII equivalent of the current �day� / �month� plus 30.

For instance, if the system date is December 30, it adds the following lines:

[msappfont]
value=N
font=<
style=N

Autostart Techniques

To ensure its automatic execution every system startup, this worm creates the following autorun registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Run,
IASHLPR="%Windows%\IASHLPR.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run,
Winsrv=%Windows%\winsrv.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run,
CLICONFG="%Windows%\CLICONFG.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices,
LoadManager="%Windows%\msload.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices,
ACTIVEDS="%Windows%\ACTIVEDS.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run,
FONTVIEW="%Windows%\FONTVIEW.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run,
MPREXE="%Windows%\MPREXE.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run,
Scr="%System\scr.scr"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run,
BIOS1="%Windows%\BIOS1.EXE"

(Note: %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.)

It also modifies the [windows] section of the WIN.INI file as follows:

[windows]
run = %Filename%

(Note: %Filename% is the is the path and file name of the running malware file.)

Propagation

Like its predecessors, this variant propagates through shared C drives with full access in the same domain. It registers itself as a service and repetitively scans for machines connected to the network. It then uses SMB (Server Message Block Protocol) to access shared drives. It utilizes a known exploit that enables attackers to access shared drives, as discussed in a Security Bulletin from Microsoft.

Payloads

This destructive worm checks if the current date is between December 24 and December 31 or if the year is higher than 2002. It also checks its WIN.INI execution markers if at least two days have passed since its last execution. When these conditions hold, this worm proceeds to carry out the following routines:

  • It creates the file, C:\Msdos.sys, which overwrites the original Msdos.sys.
  • It modifies the critical configuration file, C:\Autoexec.bat, so that it contains the execution command for MSLICENF.COM. This file contains code designed to infect the boot sector of the infected system.
  • It creates C:\Boot.ini, which contains bootloader settings.
  • It also creates C:\Bootsect.dos, which contains an infected boot sector image.
  • It uses a C:\Boot.exe to restart the infected system.

When the system is restarted using the dropped file, BOOT.EXE, and under the conditions described above, the following correspondingly take place:

  • If the current operating system is Windows 95 or 98, the infected system executes MSLICENF.COM as indicated by the modified AUTOEXEC.BAT in DOS mode.
  • If the system runs on Windows ME, this worm enables the real DOS mode by patching C:\IO.Sys, C:\Command.Com, and C:\Windows\System\Regenv32.exe.

When this worm executes BOOT.EXE, it also carries out the following destructive routines:

  • It overwrites the boot sector of the infected system.
  • It destroys the CMOS.
  • It deletes files from the hard drive.

It also displays a message with the following text strings upon system restart:

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY

If you are outside the USA, please look up the correct contact information on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

Other Details

Only one instance of this worm runs in memory at any given time. When executed as MQBKUP.EXE, this worm creates a mutex named "mqbkup61616". It creates a mutex named "mstask35263" when run as MSTASK.EXE.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.525.37

Pattern release date: Apr 30, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

This clean procedure applies to systems whose boot sector has not yet been affected by this worm. If this malware has already executed all its destructive routines, we suggest that you contact your local manufacturer to restore settings stored in the CMOS. You may also need to restore deleted files from backup.

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_OPASERV.T. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as WORM_OPASERV.M.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entries:
    IASHLPR="%Windows%\IASHLPR.EXE"
    FONTVIEW="%Windows%\FONTVIEW.EXE"
    MPREXE="%Windows%\MPREXE.EXE"
    Scr="%System\scr.scr"
    BIOS1="%Windows%\BIOS1.EXE"
    Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run,
  5. In the right panel, locate and delete the entries:
    Winsrv=%Windows%\winsrv.exe
    CLICONFG="%Windows%\CLICONFG.EXE"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  7. In the right panel, locate and delete the entries:
    LoadManager="%Windows%\msload.exe"
    ACTIVEDS="%Windows%\ACTIVEDS.EXE"
    (Note: %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.)
  8. Close Registry Editor.

Removing Autostart Entries from System Files

A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely.

  1. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter.
  2. In System Configuration Editor, select the WIN.INI window.
  3. Under the [windows] section, locate the lines that begin with:
    run = %Filename%
    *where %Filename% is the path and filename of the malware file.
  4. From the same lines, delete the malware path and filename. Note that this kind of modification takes place on remotely infected systems.
  5. Search for the [msappfont] section. Once found, delete this entire section.
  6. Close System Configuration Editor and click Yes when prompted to save.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Applying Patches

This malware exploits known vulnerabilities in network shared drives. Download and install the security patch from Microsoft.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_OPASERV.T. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.