Download our in-depth report: The Ultimate Guide to IT Security VendorsTwo new epidemics, 'Opasoft' and 'Tanatos', have been discovered this week. The first report was received on Monday and it came from Russia, "but this does not mean that the viruses originated from Russia," said Denis Zenkin, Head of Corporate Communications of Kaspersky Labs.
As investigations are on-going to find out where the viruses could have come from, the number of infected PCs by both viruses is on the rise.
Currently, Tanatos makes up more than 25 percent of all the virus reports received by Kaspersky Labs' technical support team while Opasoft makes up another 15 percent. In Asia, Korea seems to be hardest hit, making up more than half of all the reports received.
Another anti-virus software provider, Trend Micro, has also sent out an alert to warn users of Tanatos (also known WORM_BUGBEAR.A) and Opasoft. According to Trend Micro's last record, Opasoft has already infected 17 computers in Japan and 10 in Taiwan. Five of the reports in Taiwan were from corporate users while the remaining five were from inidividual users.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iAs for Kaspersky Labs, all the complains received were from individual users rather than companies, said Zenkin. A major reason behind this could be that companies are now taking virus threats more seriously as compared to two years ago. They have therefore put up the necessary defenses while individual users have yet to do the same.
Both viruses contain backdoor-features and the biggest threats they pose are that they would steal confidential information from users' PC and would also destroy critical data. To protect themselves from these viruses, Zenkin has this advice: "Simply apply the patch for the IFRAME breach in the Internet Explorer security system and update the anti-virus software. These two measures will prevent Tanatos and Opasoft from infecting users' networks."
How Both Viruses Spread
Opasoft spreads through and between local area networks. After penetrating a computer, the worm copies itself to the Windows system directory under the name 'SCRSVR.EXE'. In order to launch itself upon operating system restart, it then registers this file in the Windows registry auto-run key and additionally modifies the WIN.INI initialization file.
Its Trojan component is designed to accomplish unauthorized remote control of infected machines. Specifically, the Opasoft worm connects to the www.opasoft.com Web site, where it downloads its updated versions (if there are any) and launches on the infected computer malicious script programs. The Web site, www.opasoft.com, is already closed, therefore the described Trojan functions are no longer operative.
Presently, three modifications of the Opasoft worm are known. The defense against all three has already been added to the Kaspersky Anti-Virus databases.
Tanatos, on the other hand, is a Windows PE EXE file about 50KB in length (it is compressed by the UPX utility) written in Microsoft Visual C++. It looks for .exe files, which are mostly anti-virus applications, and then terminates them.
Tanatos spreads itself via email. These emails have no message body but would carry one of the possible subjects listed in the table below to all addresses found in the Windows Address Book (WAB).
|$150 FREE Bonus!|
|25 merchants and rising|
|CALL FOR INFORMATION!|
|click on this!|
|Correction of errors|
|Daily Email Reminder|
|Get 8 FREE issues - no risk!|
|Get a FREE gift!|
|I need help about script!!!|
|Just a reminder|
|Lost & Found|
|Market Update Report|
|My eBay ads|
|New bonus in your cash account|
|Tools For Your Online Business|
|Your News Alert|