When W32.Opaserv.Worm runs, it does the following:
It checks for the value
in the registry key
If the value exists, the worm deletes the file that the ScrSvrOld
If the ScrSvrOld
value does not exist, then the worm determines whether the value
exists in the registry key
If the value does not exist, the worm adds the value
to that registry key.
Next it checks whether it is being run as the file %windir%\ScrSvr.exe. If it is not, it copies itself to that file name and adds the value
ScrSvrOld <original worm name>
to the registry key
%windir% is a variable. The worm locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and uses that as a destination folder.
After the worm checks the registry values and the location from which the worm is executing, the worm checks to make sure that only one instance of the worm is running in memory by creating a mutex with the name ScrSvr31415.
If it is not already executing, the worm registers itself as a process under Windows 95/98/Me. Under Windows NT/2000/XP it elevates the priority of the worm process.
The worm then inventories the network looking for "C\" shares. For each share that it finds, it copies itself to C\Windows\Scrsvr.exe.
The worm uses a security vulnerability in Microsoft Windows 95/98/Me. It sends single character passwords to network shares to get access to Windows 95/98/Me file shares without knowing the entire password assigned to the shares. The affected systems include,
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
A patch for computers running these operating systems can be found at http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.
So that Windows 95/98/Me computers will run the worm each time that you start Windows, the worm modifies the[windows]
section of the C:\Windows\Win.ini file by adding the line
- The worm modifies the file C:\Windows\Win.ini before it copies itself as %windir%\ScrSvr.exe. Therefore, Symantec antivirus products will find and delete %windir%\ScrSvr.exe after the system has been altered, but not before it modifies the Win.ini file. As a result, when you restart the computer, you may see a message that ScrSvr.exe cannot be found. To fix this, remove the line that the worm added.
- The worm is apparently coded to add this line to the Win.ini:
However, in actual infections or detections, the worm is adding the line run= c:\ScrSvr.exe.
It also creates C:\Tmp.ini, which contains the text
The worm also appears to be able to update itself by reading files from a Web site whose URL is hardcoded within the worm. It also attempts to download an update named Scrupd.exe.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":