Opaserv
Opaserv
Type Network worm
Creator
Date Discovered 2002.09.30
Place of Origin Brazil?
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 28,672 bytes
Reported Costs

Opaserv, also known as Opasoft is a large familty of network worms that appeared in fall of 2002. It had backdoor trojan capabilities and had a major global outbreak in late September and early October of 2002. It primarily infects Win9x machines, and infecting NT machines is extremely difficult if not impossible. Early versions were harmless, but later ones prevented the operating system from booting.

Behavior

Taking Control

When executed, Opaserv checks for the existence of the value "ScrSvrOld" in the local machine run key. If it finds this value, it deletes the file it points to. Otherwise, it looks for "ScrSvr" in the same key. If this value does not exist, it adds the value "ScrSvr (Windows directory)\ScrSvr.exe" to the key. It also checks if it was run from the windows directory as the file name ScrSvr.exe. If not, it copies itself there and adds the value "ScrSvrOld <original worm name>" to the registry key. To ensure only one instance of the worm is running, it creates a mutex under the name ScrSvr31415.

If the environment is any type of Win9x, it registers itself as a process. Under Windows NT-based systems, including 2000 and XP, Opaserv elevates the priority of the worm process. The worm searches the network for "C\" shares and upon finding them, copies itself to C\Windows\ as "Scrsvr.exe". It uses a vulnerability that works on Win9x systems, allowing it to send the first character of a password and gain access to the system. To ensure the worm will run when the system starts up, it adds the line "run= c:\ScrSvr.exe" to the [windows] section of the Win.ini file in the Windows folder.

It may store log data in files named "ScrLog" and "ScrLog2".

Getting Passwords

Opaserv uses a security breach known as a share level password exploit to bypass the password of the target system. Essentially, it allows anyone with remote access to guess only the first byte of a password to gain further access to the system. This was an issue for Windows 9x machines. The worm will send a one-character password to the target system until it finds one that allows access.

Spreading

Opaserv scans subnets for port 137, the NETBIOS Name Service. It scans the subnet of the infected system, the two nearest subnets of the infected system and a random subnet. It will scan ports where scanning is disabled. If it gets a response from a potential target it scans the two nearest subnets of the responding system. When it receives "reply data", it checks if the system has the service "File and Print Sharing" and if so, takes not of the hostname and begins infection.

During infection, it sends special SMB packets via through port 139 that transmits commands. One command sets a connection with the \\<hostname of target>\C. If it is password protected, it attempts a brute-force attack, running through all possible one-symbol passwords. If these are successful, it sends its exe file to the Windows folder under the name scrsvr.exe.

The worm reads the WIN.INI file in the target and saves it to its local system at the root of the drive under the name TMP.INI. It then adds the autorun command for its dropped .exe file and sends it back to the target machine. This ensures the worm will run and gain control when the system is restarted.

Backdoor

The worm contains a backdoor that also functions as an updating mechanism. It connects to the website www.opasoft.com (a site that has since been taken down) and checks for the latest version of itself, downloading the file scrupd.exe, which replaces the existing copy of the worm. It also downloads and runs some script files found on the site. While running the backdoor, it uses the files ScrSin.dat and ScrSout.dat both of which use a strong encryption algorithm.

Variants

The Opaserv family produced around 20 variants. Most appear to come from Brazil.

Opaserv.A

This variant is relatively similar to the original. It appeared in mid-October of 2002 and may be refered to as "Brasil". It is missing several strings that the original had as it is compressed using UPX. It's file names are either brasil.exe or brasil.pif. It also creates a Local Machine Run Key in the registry with the value Brasil = <worm filename> in addition to using the WIN.INI file like the original to run itself at startup.

The site this variant contacts for the backdoor routine is www.n3t.com.br, where it downloads its updates and scripts. A few variants based off this variant may use the filenames alevir.exe or marco!.scr

Opaserv.E

This version appeared in November of 2002 and is also believed to come from Brazil. It is compressed with UPX and VGCrypt. Its filename is INSTIT.BAT.

 The Shoerec virus in action

Opaserv.F

This variant appeared late in December of 2002. It installs itself as MQBKUP.EXE and carries the trojan with it. The trojan in this case is a time bomb that prevents the operating system from starting when the payload is activated.

Opaserv.G

This version also appeared in late December of the same year and has the same payload as Opaserv.F. Its filename is MSTASK.EXE.

Opaserv.N

This variant appeared in easly January of 2003. It is packed with the ASPack file compressor and its filename is SRV32.EXE. It removes the files scrsvr.exe, alevir.exe, and brasil.exe if it finds them along with the registry keys associated with them.

Opaserv.O

This variant also appeared in January of 2003. It's file name is MQBKUP.EXE and the the file is compressed with PECompact. It is a close variant of Opaserv.G with a time bomb that activates if its registry keys are modified. It also displays the following notice when a system is booted:

NOTICE:  Illegal Microsoft Windows license detected!  You are in violation of the Digital Millennium Copyright Act!  Your unauthorized license has been revoked.   For more information, please call us at:  1-888-NOPIRACY   If you are outside the USA, please look up the correct contact information  on our website, at:  www.bsa.org    Business Software Alliance  Promoting a safe & legal online world.  
The payload causes damage to data on an affected hard drive.

Opaserv.S

This variant appeared a little over two years after the original. It contacts the site of a Ukrainian mobile service to send sms messages containing the IP addresses of victim machines. It was particularly active in Russia.

Effects

In October of 2002, Kaspersky lab claimed around 40% of support calls, a figure exceeding such dangerous worms as Klez and Tanatos. It affected systems primarily in Asia and Europe, being reported in Russia, Germany, France, Britain, and Korea.

Other Facts

Opaserv appears to have a symbiotic relationship with the memory resident file virus Dupator virus. Some variants of Opaserv were known to carry Dupator. Whether this was intentional or simply at some point Dupator hitched a ride on an instance of Opaserv and went along with it for every subsequent infection is unknown.

Some have reported Dupator being the one downloading the Opaserv worm, though this is unlikely given the functionality of each malware and it may be easy to mistake one downloading the other given how Opaserv works. It is made even more unlikely unless the creators were planny very far ahead, given Dupator appeared nearly three years before the first variant of Opaserv.

The domains opasoft.com was apparently used by an allegedly Riga-based OPA Software Inc., a producer of screen savers. No information about them is available.

Sources

F-Secure, Opaserv.

NSFocus Security Team. [BUGTRAQ NSFOCUS SA2000-05: Microsoft Windows 9x NETBIOS password.] 2000.10.12

Douglas Knowles. Symantec, W32.Opaserv.Worm. 2007.02.13

-. -. W95.Dupator.1503. 2007.02.13

Juniper Networks. WORM.WIN32.OPASOFT.S. 2004.10.12

Opasoft worm threatens Windows systems. 2002.10.07

Easy Desk Newsletters, Beating the Dupator! Virus and Opasoft Worm.

ChannelPartner von IDG, Trojaner-Wurm "Opasoft" tarnt sich mit Verschlüsselungstool. 2002.10.22

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License