Also known as "Opaserv," it is a network worm that has a backdoor routine. Other aliases include: Worm_Win32_Opasoft, Worm.Win32.Opasoft, I-Worm.Opasoft.
The worm spreads over local and wide-area networks using MS Windows NETBIOS services. The worm itself is a Windows PE EXE file with a length of about 28KB. F-Secure is giving it a Level 2 rating, meaning it is causing large infections. The worm installs itself to the Windows directory with the name "scrsvr.exe" and registers this file in the system registry's auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScrSvr = %worm name%
Opasoft then deletes the original file from where it was started. In order to find victim computers, Opasoft scans subnets for port 137 (NETBIOS Name Service). If Opasoft happens upon the responding IP address of an actual computer while searching/scanning, the worm then scans the two nearest subnets of that IP address. When "reply data" is received, Opasoft checks the special field that it contains. If it shows that the given computer has the service "File and Print Sharing" open, Opasoft begins its infection procedure on that computer as a remote host.
For more information on what happens during infection, visit this F-Secure Web page.
To find out what some other visible symptoms are, visit this Panda Software page.
Ivanet Trojan Horse Has Appeared
The Trojan.Ivanet Trojan Horse was discovered on Monday, Symantec reports. It attempts to disguise itself as an .avi file.
This Trojan is written in Delphi and is compressed with UPX. The uncompressed size of this file is about 334 KB. The company has given it a low threat and distribution rating.
Find out what happens when it is launched and get removal instructions at this Symantec page.
Loading Comments...