W32/Opaserv.L

description-logoAnalysis

  • Virus is 32bit, with a size of 29,065 bytes and is a minor variant to W32/Opaserv.A
  • Virus icon is that of a standard 32bit executable
  • Virus attempts to connect to opasoft.com and update itself however the hard-coded URL is no longer available
  • Virus copies itself to the Windows folder as PutA!!.exe and modifies the registry to load at Windows startup –

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    PutA!! = Windows\PutA!!.exe

  • The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet

  • The virus will scan IP addresses within the same domain for other shares, using NetBIOS via TCP port 137, seeking systems with open shares

  • If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as PutA!!.exe

  • The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR