W32/Opaserv.A
Analysis
- Virus is 32bit, with a size of 28,672 bytes
- Virus icon is that of a standard 32bit executable
- Virus attempts to connect to opasoft.com and update
itself however, the hard-coded URL is no longer available
- Virus copies itself to the Windows folder as ScrSvr.exe
and modifies the registry to load at Windows startup
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
ScrSvr = Windows\ScrSvr.exe -
The virus will attempt to use SMB through NetBIOS seeking machines on the same IP subnet.
- The virus will scan IP addresses within the
same domain for other shares using NetBIOS via
TCP port 137, seeking systems with open shares.
- If a system is found with an open share, the
virus will copy itself to that machine in the
Windows folder as ScrSvr.exe.
- The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup.
- The virus will scan IP addresses within the
same domain for other shares using NetBIOS via
TCP port 137, seeking systems with open shares.