W32/Opaserv.M

description-logoAnalysis

  • Virus is 32bit, with a size of 17408 bytes and is a minor variant to W32/Opaserv.A
  • Virus icon is that of a standard 32bit executable
  • Virus attempts to connect to opasoft.com and update itself however the hard-coded URL is no longer available
  • Virus copies itself to the Windows folder as mqbkup.exe and modifies the registry to load at Windows startup –

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    mqbkup = Windows\mqbkup.exe

  • The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet

  • The virus will scan IP addresses within the same domain for other shares, using NetBIOS via TCP port 137, seeking systems with open shares

  • If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as mqbkup.exe

  • The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup


recommended-action-logoRecommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR