high
Summary
Summary
Action- More Information
| Included in our products from | February 2003 (3.66) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Read instructions on how to remove the W32/Opaserv-H worm and ensure your system is not vulnerable to reinfection.
More Information
W32/Opaserv-H is a network-aware worm. W32/Opaserv-H tries to locate Windows network shares on computers which are accessible across the internet. It then copies itself to those computers, placing itself in the Windows folder in a file called MSTASK.EXE, usually 18853 bytes in size. (Note: Windows computers normally have a file by this name, but you will find it in the system folder, not in the Windows folder.)
W32/Opaserv-H creates the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\mstask = "C:\%WINFOLDER%\MSTASK.EXE"
or
HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\mqbkup = "C:\%WINFOLDER%\MQBKUP.EXE"
This automatically launches the worm every time you log on.
The worm also adds the line run=c:\windows\mstask.exe to your WIN.INI file. This is intended to launch the worm every time you start Windows.
W32/Opaserv-H adds an additional section in WIN.INI with several new entries as shown:
[msappfont]
value
font
style
These values are used by the worm to trigger its payload upon its second or subsequent execution.
W32/Opaserv-H has a payload which may trigger if the date is 24/Dec 2002 or thereafter.
If the current month is the same as the month of initial infection, then the payload triggers from the 2nd and subsequent days from the day of initial infection.
For the rest of the calendar months, the payload triggers on all days except the 1st day of the month.
When the payload triggers, the worm drops and runs Qzap-248, which overwrites the boot sector of the hard disk so that, during boot up, the following message is displayed:
NOTICE:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
For more information, please call us at:
1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:
www.bsa.org
Business Software Alliance
Promoting a safe & legal online world.
All other sectors of the hard disk will be overwritten with random bytes, wiping out all information on the hard disk. The program also attempts to do the same to the floppy drives.
W32/Opaserv-H then immediately restarts the computer by dropping and running the file boot.exe.
When the payload triggers the following files will be dropped, and files with the same filenames will be replaced:
C:\boot.ini
C:\msdos.sys
C:\autoexec.bat
C:\boot.exe
C:\mslicenf.com (detected as Qzap-248)
C:\bootsect.dos (detected as Troj/Qzap-249)
Depending on the version of the operating system, W32/Opaserv-H might attempt to modify command.com, io.sys and regenv32.exe which renders the computer unable to boot up and displays garbage instead.
|
