Current Status - October 15, 2002 - Low
Name of the Virus: W32.Opaserv.Worm, Worm_Opasoft.A, W95/Scurmp.Worm Meduim Alert
Infects network shares
Attempts to make contact with a specific web site and download an executable
from that specific site.
Worm also scans for the computer name and domain name of machines
connected to the network. It then sends information to the download
site.
Operating Systems Affected:
Windows 95
Windows 98
Windows 2000
Windows XP
Ways this virus spreads:
Network shares, not protected by a password.
Infection:
W32.Opaserv.Worm is a network-aware worm which attempts to replicate
across open network shares. It will copy itself to the file "scrsvr.exe"
on the remote machine. This worm also attempts to download updates from
www.opasoft.com, although the site may have already been shut down. Indicators
of infection include:
The existence of scrsin.dat and scrsout.dat in the root directory of
the c:drive indicating a local infection (worm was executed on the local
machine)
The existence of tmp.ini in the root directory of the c: drive indicating
aremote infection (infected by a remote host)
HKLM\Software\Microsoft\Windows\Current Version\Run contains a string value named ScrSvr or ScrSvrOld which is set to "c:\tmp.ini"
Removal instructions: Check the sites at the bottom of this page.
Name of the Virus: W32.Bugbear@mm, Worm Bugbear_A Medium Alert
Large scale mass mailer worm
Spoofs email addresses
Terminates some process used by AntiVirus and Personal Firewall software
Infects network shares
Drops a backdoor Trojan that can log passwords
Operating Systems Affected:
Windows 95
Windows 98
Windows 2000
Windows XP
Ways this virus spreads: W32.Bugbear@mm is a mass-mailing worm. It can also spread through Network shares. It has backdoor capabilities.
Email Subject line may read:
hello!
update
hmm..
Payment notices
Just a reminder
Correction of errors
history screen
Announcement
various
Introduction
Interesting...
I need help about script!!!
Stats
Please Help...
Report
Membership Confirmation
Get a FREE gift!
Today Only
New Contests
Lost & Found
bad news
fantastic
click on this!
Market Update Report
empty account
My eBay ads
25 merchants and rising
CALL FOR INFORMATION!
new reading
Sponsors needed
SCAM alert!!!
Warning!
its easy
free shipping!
Daily Email Reminder
Tools For Your Online Business
New bonus in your cash account
Your Gift
$150 FREE Bonus!
Your News Alert
Get 8 FREE issues - no risk!
Greets!
Confirmation of Recipes…
The email attachment may be one of these:
Setup.exe
3 July 2002.doc.pif
Removal Instructions - Check the sites below, they will have the removal instructions.
Name of the Virus: Worm_Rodok.A, Henpek, W32/Fleming worm
This worm propagates via MSN Messenger
It updates itself by contacting a certain URL
Drops a backdoor
Are Definitions Available: NO
Detection is available through: Currently NAVCE will detect
the
backdoor as Evilbot.
Detected using Virus Definitions dated: Detect the backdoor Evilbot
using NAVCE virus definitions later than May 2002.
If you have been in contact with this worm contact the Virus CERT right
away:
virus@us.ibm.com.
Operating Systems Affected:
Windows 95
Windows 98
Windows 2000
Windows XP
Ways this virus spreads:
This memory-resident worm propagates via MSN Messenger. It updates itself
by
connecting to a certain URL. It also drops and executes a backdoor malware
detected Symantec as backdoor Evilbot
Infection Details:
This worm propagates via MSN Messenger. It is written in Visual Basic 6.0.
Upon execution, this worm displays a window with the following text strings:
Generate
Quit
Registry Settings
It checks for the following registry keys, adding them if they do not exist:
HKEY_CURRENT_USER\Software\Valve\CounterStrike\
Settings\Key
HKEY_CURRENT_USER\Software\Valve\Half-Life\
Settings\Key
Propagation
This worm opens MSN Messenger and sends out the message below to the
infected user's MSN contact list:
“Hey!! Could you please check out this program for me? :) I made it myself
and want people to test it. Its a readme with the program that explains
what
it does!
http://home.<blocked>.net/downl0ad/BR2002.exe <-- There you can
download it! give me advices on what to upgrade please!!”
Recipients of the message are not automatically infected with the worm.
This happens when the recepient clicks the URL, which downloads the worm
and executes it in the system.
It then searches for updates of itself and displays this text message:
hello
Updating...
It automatically updates itself by connecting to this URL and downloads
the
file:
http://home.<blocked>.net/downl0ad/Update.exe
and saves it as:
C:\update35784.exe.
CD Key Stealer
The worm checks the system registry keys and sends out certain values it
finds to an MSN user named styggefolk@hotmail.com.
The message appears as:
<infected person>says:
I have loaded the ur CDKEY Generator 1.3! CS: <CS Key> HL: <HL Key>
*where <infected person> refers to the email address of the person whose
machine is currently being hacked by the worm.
<CS Key> is the data of the following registry value:
HKEY_CURRENT_USER\Software\Valve\CounterStrike\Settings
Key
<HL Key> is the data of the following registry value:
HKEY_CURRENT_USER\Software\Valve\Half-Life\Settings
Key
Backdoor Component
From the same URL, the worm also obtains this file:
http://home.<blocked>.net/downl0ad/CS-Keygen.exe
And saves it as the path and filename:
C:\hehe2397824.exe
It also creates the file, WinUpdat.exeupdate.ur.address, in the Windows
folder. It then creates a registry entry so that the dropped file runs
at every
Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WinUpdat = "C:\%WINDOWS%\WinUpdat.exeupdate.ur.address"
Trend Micro detects WinUpdat.exeupdate.ur.address and hehe2397824.exe
both as BKDR_EVILBOT.A
Other Details
This worm runs in the background using a random process name. The
following text can be seen in its body:
I have loaded the ur CDKEY Generator 1.3!
Removal Instructions:
Identifying the Malware Program
Terminating the Malware Program
This procedure terminates the running malware process from memory. You
will need
the name(s) of the file(s) detected earlier.
1.Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
2.In the list of running programs*, locate the malware file or files detected
earlier.
3.Select one of the detected files, then press either the End Task or the
End
Process button, depending on the version of Windows on your system.
4.Do the same for all detected malware files in the list of running processes.
5.Also in the list of running programs*, locate and end the process:
Winupdat
6.To check if the malware processes have been terminated, close Task
Manager, and then open it again.
7.Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain
processes. You may use a third party process viewer to terminate the malware
process. Otherwise, continue with the next procedure, noting additional
instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing
during startup.
1.Open Registry Editor. To do this, click Start>Run, type REGEDIT, then
press
Enter.
2.In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3.In the right panel, locate and delete the entry or entries:
WinUpdat = "C:\%WINDOWS%\WinUpdat.exeupdate.ur.address"
*Where %WINDOWS% is the Windows directory, which is usually C:\Windows
or C:\WINNT
4.Close Registry Editor
NOTE: If you were not able to terminate the malware process from memory
as
described in the previous procedure, restart your system.
http://securityresponse.symantec.com/
For Microsoft security patches
http://www.microsoft.com/security
I make no warrantees about how good these sites
are.