W32/Opaserv.W
Analysis
- Virus is 32bit, with a compressed size of 28,672
bytes and is a minor variant to W32/Opaserv.A
- Virus icon is that of a standard 32bit executable
- If virus is run, it may disable firewall or Antivirus
protection applications in an effort to conceal it’s
attempt to connect to the Internet
- Virus may write itself as several files to the
local file system (28,672 bytes) –
c:\WINDOWS\MCISEQ.EXE
c:\WINDOWS\MMDEVLDR.EXE
c:\WINDOWS\MPREXE.EXE
c:\WINDOWS\SYSTEM\scr.scr
c:\WINDOWS\SYSTEM\winsrv.exe
c:\WINDOWS\MSBIND.DLL (25 bytes)
c:\WINDOWS\CDM.EXE (12,288 bytes)
c:\WINDOWS\MSCPXL32.EXE (12,288 bytes)
c:\WINDOWS\VJOYD.EXE (12,288 bytes)
c:\WINDOWS\SYSTEM\msload.exe (12,288 bytes)
- Virus may modify the registry to run these files
at Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"MMDEVLDR" = C:\WINDOWS\MMDEVLDR.EXE
"MSCPXL32" = C:\WINDOWS\MSCPXL32.EXE
"winsrv" = c:\windows\system\winsrv.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"MCISEQ" = C:\WINDOWS\MCISEQ.EXE
"MPREXE" = C:\WINDOWS\MPREXE.EXE
"scr" = c:\windows\system\scr.scr
"VJOYD" = C:\WINDOWS\VJOYD.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"CDM" = C:\WINDOWS\CDM.EXE
"LoadManager" = c:\windows\system\msload.exe
- Virus attempts to connect to opasoft.com and update
itself however the hard-coded URL is no longer available
- The virus will attempt to use SMB through NetBIOS
seeking machines on the same IP subnet
- The virus will scan IP addresses within the same
domain for other shares, using NetBIOS via TCP port
137, seeking systems with open shares - If a system
is found with an open share, the virus will copy itself
to that machine in the Windows folder
- The virus may also modify the WIN.INI configuration
file to load the dropped virus at Windows startup
- If the Trojan component runs, it may fill up the
hard drive and display within a MS-DOS environment
the following message –
NOTICE:Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!Your unauthorized license has been revoked.
For more information, please call us at:1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:www.bsa.org
Business Software Alliance
Promoting a safe & legal online world.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |