Virus

W32/Opaserv.Y!worm

Analysis


Specifics
Virus is 32-bit with a "PEPEC" packed file size of 47,616 bytes. The virus contains instructions to spread to other computers using NetBIOS and weak password settings. Compromised systems may have the file "speedy.bat" running in memory and installed to the local system, and may also have periodic connection attempts to the web site 'www.speed.com'.

Load at Windows Startup
If the virus is run, it will copy itself to the hard drive into the Windows folder as "speedy.bat" and modify the registry to load at Windows startup, as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Spees2" = C:\Windows\Speedy.bat

An additional file may be created in the Windows folder named "Podre!!." - this small data file contains non-readable characters.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option