New Worm Variant Spreads Through Open Ports September 22, 2003 PandaLabs reported Monday it has detected the appearance of the new Y variant of the Opaserv worm. According to data gathered by Panda Software's international technical support services, this malicious code is already causing incidents. Opaserv.Y spreads directly through the Internet by looking for computers to infect. In order to do this, it checks if port 137 is open and unprotected. If it is, Opaserv.Y gets into the computer through port 139 and copies itself in the C:\Windows directory under the name Speedy.scr. At the same time, it generates several entries in the Windows Registry in order to ensure that it is run whenever the computer is started up. If the infected computer is connected to a network, Opaserv.Y will exploit the Windows vulnerability known as Share Level Password - based on an inconsistency in the protection of network shares in the operating systems Windows Me/98/95- in order to spread to the rest of the computers in the network. At present, PandaLabs has detected two versions of Opaserv.Y. The difference between the two is the compression utility they are packed with. Another characteristic of this malicious code is that if the user runs the file carrying the worm from an MS-DOS window, instead of displaying the following message: "This program requires MS Windows", one of the following three will be displayed: Telefonica ganhe menos e faca mais!! Queremos melhores servicos da SPEEDY Melhorem o servico Speed seus FDPS!! Due to the incidents detected and to avoid falling victim to Opaserv.Y, Panda Software advises users to treat all e-mails received with caution and to update their antivirus solutions immediately. For more information about Opaserv.Y and other malicious code, visit Panda Software's Virus Encyclopedia here. Trojan Targets Networks with Weak Passwords W32/Agobot-S is a IRC backdoor Trojan and network worm. It copies itself to network shares with weak passwords and attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities. Microsoft has issued patches for the vulnerabilities exploited by this worm. These patches are available from: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp and http://www.microsoft.com/technet/security/bulletin/MS03-001.asp When first run, W32/Agobot-S copies itself to the Windows System folder as scvhost.exe and creates the following registry entries so that scvhost.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Config Loader = scvhost.exe and HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\Config Loader = scvhost.exe On Windows NT, 2000 and XP W32/Agobot-S may run itself as a new service called Cfgldr. Each time W32/Agobot-S is run it attempts to connect to a remote IRC server and join a specific channel. W32/Agobot-S then runs continuously in the background, allowing a remote intruder to access and control the computer via IRC. Instructions for removing worms are at this Sophos page. Trojan Send Banking Details to Author Trojan.Abaxo is a Trojan Horse that sends banking details to a remote sever for the author to collect. The Trojan arrives as a form that looks like a Bingo application from Banco Itaz. Technical details are at this Symantec page. VB Worm Spreads via P2P Networks There are several variants of W32/Titog.worm, so this description is a general guide. Things such as specific file-sizes, file-names and directory-names used may vary. This worm is written in Visual Basic and propagates via P2P networks, such as Kazaa. It creates a shared folder and creates multiple copies of itself into this folder. Kazaa's default shared folder is changed to this folder by changing the following registry keys: HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir0" = 12345:C:\WINDOWS\SYSTEM\Shared HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir1" = 12345:C:\WINDOWS\SYSTEM\Shared HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir16" = 12345:C:\WINDOWS\SYSTEM\Shared HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir22" = 12345:C:\WINDOWS\SYSTEM\Shared HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir5" = 12345:C:\WINDOWS\SYSTEM\Shared\ HKEY_CURRENT_USER\Software\Kazaa\LocalContent "DisableSharing" = 00, 00, 00, 00 The name of the shared directory created varies, some of which are: c:\WINDOWS\SYSTEM\GotITFolder c:\WINDOWS\SYSTEM\Shared The worm uses common file names. They can be viewed with other information, at this McAfee page. Worm Appends Windows Directory Files W32/Pate.b.worm is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "". The virus creates the following Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\PINF The virus may mis-infect files with an incomplete virus body. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup. More information is at this McAfee page. Worm Drops Copy of Itself in HTML Format Worm_Caspid.A is a memory-resident worm that spreads though different peer-to-peer file-sharing networks, including Kazaa, Morpheus, LimeWire and BearShare. It spreads via email dropping a copy of itself in HTML format and setting the HTML copy as the default stationery for outgoing Outlook email messages. As a result, all HTML-formatted messages sent using Outlook Express with the default stationery contains a copy of this worm. It exploits a known vulnerability which affects Microsoft Outlook Express 5.5 and 6.0 which enables MIME-encoded program inside HTML files to execute. For more information about the vulnerability and to get hold of the critical patches, visit this Microsoft page. This worm infects HTML files in all folders and subfolders on the infected system. It prepends a copy of itself into host files and encrypts the original contents of its hosts. It runs on Windows 95, 98, ME, NT, 2000, and XP. Technical details are at this Trend Micro page.

This is not good news Dave. Opaserv was/is one nasty package.

capt no it is not and worse yet to come :( thx capt!

- Panda Software reports the appearance of the new Opaserv.Y worm - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, September 22, 2003 - PandaLabs has detected the appearance of the new Y variant of the Opaserv worm. According to data gathered by Panda Software's international technical support services, this malicious code is already causing incidents. Opaserv.Y spreads directly through the Internet by looking for computers to infect. In order to do this, it checks if port 137 is open and unprotected. If it is, Opaserv.Y gets into the computer through port 139 and copies itself in the C:\Windows directory under the name Speedy.scr. At the same time, it generates several entries in the Windows Registry in order to ensure that it is run whenever the computer is started up. If the infected computer is connected to a network, Opaserv.Y will exploit the Windows vulnerability known as Share Level Password - based on an inconsistency in the protection of network shares in the operating systems Windows Me/98/95- in order to spread to the rest of the computers in the network. Up until now, PandaLabs has detected two versions of Opaserv.Y. The difference between the two is the compression utility they are packed with. Another characteristic of this malicious code is that if the user runs the file carrying the worm from an MS-DOS window, instead of displaying the following message: "This program requires MS Windows", one of the following three will be displayed: - Telefonica ganhe menos e faca mais!! - Queremos melhores servicos da SPEEDY - Melhorem o servico Speed seus FDPS!! Due to the incidents detected and to avoid falling victim to Opaserv.Y, Panda Software advises users to treat all e-mails received with caution and to update their antivirus solutions immediately. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Opaserv.Y. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com/. Users can also scan their computers using the free, online antivirus, Panda ActiveScan, which is available on the company's website at http://www.pandasoftware.com/. For more information about Opaserv.Y and other malicious code, visit Panda Software's Virus Encyclopedia at the following address: http://www.pandasoftware.com/virus_info/encyclopedia/.

plug and play alert if you have allready read up on or covered it please ignore. http://secadministrator.com/Articles/Index.cfm?ArticleID=40295

Thanks Dave, Brad Peterson spent alot of time helping people when Opaserv first came out. His help may be needed again soon. It attacks the non firewalled people!

ab hope fully its not as rampant this time! heres a few more tp look over W32/Agobot-S - Another worm variant that targets the Microsoft RPC DCOM flaws. The virus allows an attacker to control the infected machine via IRC. (Sophos) W32/Yaha-W - A worm that spreads via its own SMTP engine. It drops a keystroke logger on the infected machine. (Sophos) Troj/JSurf-A - Another virus that tried to exploit the iFrame vulnerability in Internet Explorer, which Microsoft patched in August. (Sophos) WM97/Oragon-A - A Word macro virus that removes the "macro" option from the "tools" menu. It also attempts to insert some information into the open document. (Sophos)