Printer Friendly

"Opasoft". (Virus Notes).

The multi-component program "Opasoft" combines the characteristics of a network worm and a Trojan program designed to gain unauthorized remote control of infected computers.

Kaspersky Labs has received confirmed reports of "Opasoft" infections in Russia, France, Germany, the UK, Korea among other countries.

'Opasoft' spreads through and between local area networks. After penetrating a computer the worm copies itself to the Windows system directory under the name "SCRSVR.EXE". In order to launch itself upon operating system restart, "Opasoft" registers this file in the Windows registry auto-run key, and additionally modifies the WIN.INI initialization file.

'Opasoft's' Trojan component is designed to accomplish unauthorized remote control of infected machines. Specifically, the "Opasoft" worm connects to the www.opasoft.com Web site, where it downloads its updated versions (if there are any) and launches on the infected computer malicious script programs. The indicated web site is already closed, therefore the described Trojan functions are no longer operative.

At the moment three modifications of the Opasoft worm are known. The defence against all three has already been added to the Kaspersky Anti-Virus databases.

Notes on the Opasoft Worm - protecting your computer

'Opasoft" spreads over the Internet by scanning the global network and determining which computers are running Windows 95/98/ME and on which to attempt to gain access to drive C.

Next, it goes through access passwords to these resources and if it is successful in gaining access it promptly infects victim machines with copies of itself. To search infected computers "Opasoft" uses communications ports (137 and 139) accepted in Windows networks for exchanging data. It is precisely this fact that these ports are targeted for hacker attack. This together with the circumstance that so many users and system administrators do not follow secure policies for computer resources predetermined the rapid spread of the "Opasoft' worm.

Kaspersky Labs recommends taking the following actions in order to avert the possibility of "Opasoft" penetration: Home Users must check if any computer services have been assigned for user files or printers. To do this, users should right click on the Network Neighborhood icon, select Properties and click on File and Printer Sharing. A window opens showing the current status of services, if system access to services has been established inappropriately users can then correct it. If a user knowingly opens access to Disk C, it is then necessary to make certain that it is password protected with a long password with no less than two symbols.

System Administrators are recommended to protect access to ports 137 and 139 from external access. On all computers that must transmit data to external networks via these ports, it is important to check the shared resources list to make-sure they are properly password protected. Finally, Internet Providers are also recommended to close ports 137 and 139 to their clients and open them only upon special request to execute specific tasks.

"Opasoft" infects only computers running Windows 95/98/ME , therefore the measures outlined above are not needed for computers using other operating systems, for example, Windows 2000 or Windows XP.

www.kaspersky.com
COPYRIGHT 2002 A.P. Publications Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2002, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Software World
Date:Nov 1, 2002
Words:515
Previous Article:Kaspersky top twenty. (Virus Notes).
Next Article:Tanatos. (Virus Notes).


Related Articles
Challenges in testing for West Nile virus. (Infectious Diseases).
The virus top 20 for December 2002 from Kaspersky Labs. (Virus Reports).
Top 20 for Februrary from Kaspersky. (Virus Notes).
Kaspersky virus top twenty March 2003. (Security).
MailMoniter protects against mass-mailing devices. (Security).
Viral marketing stunt similar to real virus.
EM reporter highlights virus blackspots.
Virus protection for MAC OS X.
Free removal tool for Mydoom.

Terms of use | Privacy policy | Copyright © 2024 Farlex, Inc. | Feedback | For webmasters |