Win32.Opaserv.D is very similar in function to Win32.Opaserv.A, although it creates two extra log files in the Windows directory:"ScrLog" and "ScrLog2".
Win32.Opaserv is a worm which spreads through shared Windows drives and became surprisingly widespread in early October 2002.
When run, the worm copies itself to the Windows directory. It then adds the following value to the registry so that this copy is run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr="%Windows%\ScrSvr.exe"
It also creates the following registry value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld="ScrSvr.exe"
This value is set to the file from which the worm was originally run. This registry key is later deleted.
The files ScrSin.dat and ScrSout.dat are also created in the %Windows% directory.
It attempts to copy itself across Windows Networking (SMB) networks by exploiting a very old vulnerability in the way Windows 95, 98, 98SE and ME machines verify network share passwords. In short, unpatched versions of these Operating Systems can be fooled into accepting just a single character password, regardless of how long a password is actually set on the share (so long as a password has been set). Microsoft shipped a patch to fix this vulnerability in October 2000. A brief description of the problem with links to the patch download locations and installation instructions is available from this Microsoft security bulletin:
All users of Windows 95, 98, 98SE and ME machines that have file and print sharing enabled should obtain and install that patch, as despite the rather weak recommendation the security bulletin gives its installation, it really should be considered a critical update. Exploit code, allowing remote password discovery against share-level passwords, has been available since around the time the vulnerability was first disclosed, but Opaserv is the first malware known to have exploited this weakness.
The share-level password vulnerability only affects the non-NT versions of Windows. Further, it only affects shares available via share-level access permissions - Windows 9x and ME machines that are part of a domain and only employ user-level (or domain) access controls are not vulnerable to this exploit. Microsoft recommends "...that user-level access permissions be granted to shares rather than share level permissions based on passwords".
Earlier reports of Opaserv's operation suggested that it spread through open shares (i.e. ones with no passwords) or shares with only very short, or one character, passwords. This is incorrect. Opaserv spreads by exploiting the share-level password vulnerability mentioned above, specifically trying to attach to the 'C' share (the default name of a share based at the root of the C: drive) of randomly selected IP addresses. If it can attach to such a share, it attempts to copy itself to \WINDOWS\scrsvr.exe on the share (this, of course, requires that not only is the C: drive shared and Windows installed in the default directory, but that 'full', rather than 'read-only' access has been granted to the share).
Note: Even though this particular vulnerability does not affect NT-based Windows operating systems, (NT, 2000, XP), Opaserv will still successfully copy itself to these systems if it finds a share that meets the above criteria.
Failure to patch this vulnerabilty in Windows means that disinfecting a machine is only a very temporary fix so long as it remains attached to the network(s) from which it was initially infected. If access to Microsoft Networking ports cannot be blocked or otherwise hardened with a firewall or similar means and a Windows 9x or ME machine must be left on a hostile network, the patch absolutely must be applied or the machine will likely be re-infected in short measure.
The worm also attempts to update itself by downloading the file scrupd.exe. from a webserver and replacing itself with the new version. The server has been closed, so this should not pose any further threat.
Regards
Phil
