W32/Opaserv-V is a worm that spreads by copying itself to network shares, according to Sophos, which issued an alert Monday.

The worm drops copies of itself to the Windows folder as Banda!, Podre!! and speedy.pif, then adds an entry to the registry at HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Spees3 to run itself on system restart. The worm attempts to copy itself to the Windows folder on networked computers with open shared drives. The worm then modifies the win.ini on the remote machine to ensure it will be run on system restart. W32/Opaserv-V also attempts to update itself periodically from a pre-configured Web site. Instructions for removing worms are at this Sophos page.

Password-Stealing Trojan Sends Information to Author via Email


PWS-PPort is a password stealing Trojan that captures keystrokes and sends notification and captured information to the author via email. Online email and bank account information (username/password), if locally cached, and local access credentials, are particularly vulnerable to this threat.

There are several variants of the Trojan. The description is a general guide. When run, the Trojan copies itself to %Sysdir% directory as USER32.EXE. Two other files are dropped into the same folder as:

  • USER128.DLL - Keylogger component which runs in memory
  • VGABITS.VXD - logfile which is sent to the author.

    • It creates a registry run key to load itself at Windows start up:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Windows_Vxd " = "%Sysdir%\USER32.EXE

    • The following registry key is also created:
  • HKEY_CURRENT_USER\Winsound

    • This Trojan also checks the system for on-line bank related information.

    The Trojan uses its own SMTP engine to mail the system details to a Brazilian address.

    More information is at this McAfee page.

    Virus Carries out Several Malicious Activities

    PE_Lamin.B is a memory-resident file infector searches all drives (local or mapped) for suitable .EXE files to infect.

    It has backdoor capabilities, which enables the virus to open port 6667 and listen for commands from a malicious user to process on the machine. It has the ability to carry out the following malicious actions remotely, thus compromising system security:

  • Steal system information and passwords
  • Format the hard drive
  • Steal clipboard contents
  • Log keystrokes and screen snapshots
  • Close an application
  • Restarts the system
  • Clear the CMOS
  • Execute a file
  • Start an FTP server
  • Change the port of the FTP server
  • List processes

    • It also attempts to terminate certain processes. It runs on Windows 95, 98, ME, NT, 2000 and XP.

    Technical details are at this Trend Micro page.

    Worm Sends Email in Spanish

    Lohack.E is a worm that spreads via e-mail, through the peer-to-peer (P2P) file sharing program KaZaA and across networks.

    The e-mail message carrying Lohack.E is always in Spanish and has extremely variable characteristics. The content of many of these messages refers to the Spanish Information Society and E-mail Services Law. Furthermore, Lohack.E tricks users into thinking that the message has been sent from a trustworthy source by using one of the following addresses as the sender of the message:
    Ministerio de Ciencia y Tecnologma (info@myct.es)
    Panda Antivirus (OXYGEN@pandasoftware.es)

    Lohack.E exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5), which allows it to be automatically run when the message carrying the worm is viewed in the Preview Pane.

    In addition, Lohack.E moves the mouse around the screen, obstructing the tasks performed.

    Technical details are at this Panda Software page.

    --Compiled by Esther Shein