Alias:W32.Opaserv.Worm, WORM_OPASERV.E [Trend], W32/Opaserv-C [Sophos], Win32.Opaserv.E [CA], W32/Opaserv.worm [McAfee]
Type:Worm 
Size:24,064 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreading over unprotected network resources. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Medium 

DistributionIt tries to spread over unprotected net resources.

Technical DetailsWhen activated on Windows 95/98/Me Computers, Worm/Opasoft.E checks for 'BrasilOld' in the registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If present, the related file is deleted. If not, the worm checks for 'Brasil' in the entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
If not present, the worm registers:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Brasil C:\WINDOWS\Brasil.exe
Brasil C:\WINDOWS\Brasil.pif

Then, it checks if the file C:\Windows\Brasil.exe or C:\Windows\Brasil.pif has been activated. If not, the worm is copied in this file and the registry entry is made:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run BrasilOld

After controlling the registry and the place of its activity, the worm ensures that it has only one version in system memory, using a Mutex named Brasil31415.
If not yet activated, the worm registers as a process.
The worm uses a security vulnerability of Microsoft Windows 95/98/Me. It sends single password characters to the network resource for accessing other Windows 95/98/Me files, without knowing the password.
The affected systems are:
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me

It creates C:\Put.ini, that contains the text
'run=c:\Windows\Brasil.exe,c:\Windows\Brasil.pif'.

It looks like the worm is able to update itself, reading files from a website.
It also tries to download a file named Puta!!.exe.
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .