high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | March 2005 (3.91) |
| Protection available since | 29 January 2005 15:22:05 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Opossum-A is a worm for the Windows platform.
When first run, W32/Opossum-A copies itself to the following locations:
<Temp folder>\help32.exe
<current folder>\Sir.d4ng3
\Trash\svchost.exe
\ntdetect32.exe
<Windows folder>\<digits> (no file extension)
<Windows folder>\ntdetect32.exe
<Windows folder>\regedit32.exe
<Windows system folder>\Documento.doc<spaces>.pif
<Windows system folder>\Documents.doc<spaces>.pif
<Windows system folder>\Preventivo.doc<spaces>.pif
<Windows system folder>\excel_file.doc<spaces>.pif
<Windows system folder>\logo10090.gif<spaces>.pif
<Windows system folder>\regedit.exe
<Windows system folder>\regedit32.exe
<Windows system folder>\regscan32.exe
<Windows folder>\w32.exe
<Windows folder>\regedit.exe
The worm spreads via several mechanisms including:
email messages
network shares
IRC clients
overwriting existing applications
W32/Opossum-A attempts to disable access to the following applications:
regedit.exe (overwritten with a copy of the worm)
taskmgr.exe
notepad.exe
wordpad.exe
write.exe
wuauclt.exe
msconfig.exe
The worm may share the C: drive to remote machines. W32/Opossum-A may also reboot or shutdown the computer. Several registry entries are created or modified by W32/Opossum-A, including the following:
HKCR\.d4ng3\
<several entries>
HKLM\Software\sshare
HKCU\Software\Microsoft\Outlook Express\5.0\Mail
Warn on Mapi Send
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<decimal number> (eg, 0.12345678)
"<path to worm copy>"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NetSyStem
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Trash
"C:\Trash\svchost.exe"
HKCR\regfile\shell\open\command
HKCR\keyfile\shell\open\command
HKCR\inifile\shell\open\command
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun
<number>
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoWinKeys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoFolderOptions
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoViewContextMenu
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoClose
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoSetFolders
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoFind
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives
W32/Opossum-A can generate thousands of registry entries which load copies of the worm when a user logs on.
Email sent by W32/Opossum-A can either appear to be from "support@microsoft.com" or forged from the current user's identity. The worm can forward messages currently in the user's inbox with copies of itself attached.
Due to bugs in the code and to external file dependencies, W32/Opossum-A may terminate before delivering any of its intended payloads.
|
