Virus

W32/Opaserv.M

Analysis

  • Virus is 32bit, with a size of 17408 bytes and is a minor variant to W32/Opaserv.A
  • Virus icon is that of a standard 32bit executable
  • Virus attempts to connect to opasoft.com and update itself however the hard-coded URL is no longer available
  • Virus copies itself to the Windows folder as mqbkup.exe and modifies the registry to load at Windows startup –

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    mqbkup = Windows\mqbkup.exe

  • The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet

  • The virus will scan IP addresses within the same domain for other shares, using NetBIOS via TCP port 137, seeking systems with open shares

  • If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as mqbkup.exe

  • The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup


Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option