W32/Opaserv.W

description-logoAnalysis

  • Virus is 32bit, with a compressed size of 28,672 bytes and is a minor variant to W32/Opaserv.A
  • Virus icon is that of a standard 32bit executable
  • If virus is run, it may disable firewall or Antivirus protection applications in an effort to conceal it’s attempt to connect to the Internet
  • Virus may write itself as several files to the local file system (28,672 bytes) –
    c:\WINDOWS\MCISEQ.EXE
    c:\WINDOWS\MMDEVLDR.EXE
    c:\WINDOWS\MPREXE.EXE
    c:\WINDOWS\SYSTEM\scr.scr
    c:\WINDOWS\SYSTEM\winsrv.exe
    c:\WINDOWS\MSBIND.DLL (25 bytes)
    c:\WINDOWS\CDM.EXE (12,288 bytes)
    c:\WINDOWS\MSCPXL32.EXE (12,288 bytes)
    c:\WINDOWS\VJOYD.EXE (12,288 bytes)
    c:\WINDOWS\SYSTEM\msload.exe (12,288 bytes)
  • Virus may modify the registry to run these files at Windows startup –
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "MMDEVLDR" = C:\WINDOWS\MMDEVLDR.EXE
    "MSCPXL32" = C:\WINDOWS\MSCPXL32.EXE
    "winsrv" = c:\windows\system\winsrv.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "MCISEQ" = C:\WINDOWS\MCISEQ.EXE
    "MPREXE" = C:\WINDOWS\MPREXE.EXE
    "scr" = c:\windows\system\scr.scr
    "VJOYD" = C:\WINDOWS\VJOYD.EXE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    "CDM" = C:\WINDOWS\CDM.EXE
    "LoadManager" = c:\windows\system\msload.exe
  • Virus attempts to connect to opasoft.com and update itself however the hard-coded URL is no longer available
  • The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet
  • The virus will scan IP addresses within the same domain for other shares, using NetBIOS via TCP port 137, seeking systems with open shares - If a system is found with an open share, the virus will copy itself to that machine in the Windows folder
  • The virus may also modify the WIN.INI configuration file to load the dropped virus at Windows startup
  • If the Trojan component runs, it may fill up the hard drive and display within a MS-DOS environment the following message –
    NOTICE:

    Illegal Microsoft Windows license detected!
    You are in violation of the Digital Millennium Copyright Act!

    Your unauthorized license has been revoked.


    For more information, please call us at:

    1-888-NOPIRACY

    If you are outside the USA, please look up the correct contact information
    on our website, at:

    www.bsa.org

    Business Software Alliance
    Promoting a safe & legal online world.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR