English
Deutsch
Home
Virus Info
Worm/OpaSoft
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/OpaSoft - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Alias:
W32/OpaServ.Worm
Type:
Worm
Size:
28,672 bytes
Origin:
unknown
Date:
09-30-2002
Damage:
VDF Version:
Danger:
Low
Distribution:
Medium
General Description
Worm/OpaSoft spreads over networks as "SvrScr.exe" file. It also tries to download an update from the website www.opasoft.com.
Symptoms
- the files and registry entries mentioned below.
- Increased traffic on port 139 (UDP).
Distribution
Worm/OpaSoft looks for mapped network drives and copies itself as "ScrSvr.exe" wherever it has writing rights.
Technical Details
When activated, the worm copies itself as ScrSvr.exe in Windows system and makes the following registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"ScrSvr"="C:\Windows\ScrSvr.exe"
Then it creates a file named TMP.INI in the root directory of drive C. This file has the following line:
"run=c:\windows\scrsvr.exe"
and makes the following entry in Win.ini:
run=c:\tmp.ini
Worm/OpaSoft looks for mapped network drives and copies itself as "ScrSvr.exe" wherever it has writing rights. It then tries to download an update from the website www.opasoft.com. But this however will fail, since the page can no longer be attained.
If active, Worm/OpaSoft dispatches all IP addresses over port 139. If the worm can find a computer, on Intranet or Internet, which has a shared C drive, it copies itself as "ScrSvr.exe" in that drive.
Variants:
Worm/OpaSoft.B version:
Name: Worm/OpaSoft.B
Type: Worm
Size: 24.064 Bytes
Platform: Windows 95/98/Me/NT/2000/XP
It has the same payload as Worm/OpaSoft. It spreads over shared drives on Intranet and Internet. The worm differs, though, by its size and registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Brasil"="C:\\WINDOWS\\Brasil.pif"
The run entry in Win.ini is changed. This refers directly to the worm file Brasil.pif:
run=c:\windows\Brasil.pif
Worm/OpaSoft.C version:
Name: Worm/OpaSoft.C
Type: Worm
Size: 24.064 Bytes
Platform: Windows 95/98/Me/NT/2000/XP
It has the same payload as Worm/OpaSoft. It spreads over shared drives on Intranet and Internet. The worm differs, though, by its size and registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"Brasil"="C:\\WINDOWS\\Brasil.exe"
The run entry in Win.ini is changed. This refers directly to the worm file Brasil.exe:
run=c:\windows\Brasil.exe
See a brief description
here
.
Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Netsky.HB
TR/Crypt.CFI.Gen
Worm/Netsky.D.Dam
W32/Elkern.C
Worm/Mytob.HA
Halifax 26
TR/Vundo.GJ
TR/Agent.Abt.3
Halifax 25
TR/Dldr.PurityScan.FK
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Print this page
.gif)
