 
Win32:OpasWin32:Opas is a network worm combined with backdoor. It spreads
over local and global network by using NETBIOS services. The worm about
28 kilobytes long. The worm installs itself to Windows directory under
the name scrsvr.exe and adds the following key into the registry:
The worm then deletes the file in which it arrived on the computer.
The worm scans networks by using port 137 (NETBIOS Name Service) to locate
possible victim computers. The following subnets are scanned:
If it gets any reply from any IP address, the worm also scans two subnets that are neighbor to that address. If the responding computer has the File and Print Sharing service enabled, the worm tries to infect it. It established connection with the remote computer. If the resource is protected by a password the worm tries to open it with all one-character passwords. If succesfull, it send the EXE file to a remote computer to the WINDOWS\scrsvr.exe file. Then the worm reads the remote WINDOWS\win.ini file adds the run command to it and sends it back. On next Windows restart the worm's copy is activated. Windows NT/2000/XP computers are not vulnerable to this attack, opposite to Windows 9x/Me computers. Also, the virus uses the very old security exploit in Windows 9x/Me - it is able to get the access to the shared disks which are protected by passwords longer than one character on computers which are not patched. See Microsoft Security Bulletin 072 for details. The backdoor part of this worm tries to connect to www.opasoft.com and to download the updated version of itself. This web site is currently down however. It can also cause printing of garbage on the network printers. Removal:
Variants:
Any avast! with VPS file dated on or after 1st October 2002 is able to detect this worm. Refer: Avast |
|
|
|