W32/Opaserv.M
Analysis
- Virus is 32bit, with a size of 17408 bytes and is
a minor variant to W32/Opaserv.A
- Virus icon is that of a standard 32bit executable
- Virus attempts to connect to opasoft.com and update
itself however the hard-coded URL is no longer available
- Virus copies itself to the Windows folder as mqbkup.exe
and modifies the registry to load at Windows startup
–
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
mqbkup = Windows\mqbkup.exe -
The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet
-
The virus will scan IP addresses within the same domain for other shares, using NetBIOS via TCP port 137, seeking systems with open shares
-
If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as mqbkup.exe
-
The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |