"Opasoft". (Virus Notes).
The multi-component program "Opasoft" combines the characteristics of a network worm and a Trojan program designed to gain unauthorized remote control of infected computers.Kaspersky Labs has received confirmed reports of "Opasoft" infections in Russia, France, Germany, the UK, Korea among other countries.
'Opasoft' spreads through and between local area networks. After penetrating a computer the worm copies itself to the Windows system directory under the name "SCRSVR.EXE". In order to launch itself upon operating system restart, "Opasoft" registers this file in the Windows registry auto-run key, and additionally modifies the WIN.INI initialization file.
'Opasoft's' Trojan component is designed to accomplish unauthorized remote control of infected machines. Specifically, the "Opasoft" worm connects to the www.opasoft.com Web site, where it downloads its updated versions (if there are any) and launches on the infected computer malicious script programs. The indicated web site is already closed, therefore the described Trojan functions are no longer operative.
At the moment three modifications of the Opasoft worm are known. The defence against all three has already been added to the Kaspersky Anti-Virus databases.
Notes on the Opasoft Worm - protecting your computer
'Opasoft" spreads over the Internet by scanning the global network and determining which computers are running Windows 95/98/ME and on which to attempt to gain access to drive C.
Next, it goes through access passwords to these resources and if it is successful in gaining access it promptly infects victim machines with copies of itself. To search infected computers "Opasoft" uses communications ports (137 and 139) accepted in Windows networks for exchanging data. It is precisely this fact that these ports are targeted for hacker attack. This together with the circumstance that so many users and system administrators do not follow secure policies for computer resources predetermined the rapid spread of the "Opasoft' worm.
Kaspersky Labs recommends taking the following actions in order to avert the possibility of "Opasoft" penetration: Home Users must check if any computer services have been assigned for user files or printers. To do this, users should right click on the Network Neighborhood icon, select Properties and click on File and Printer Sharing. A window opens showing the current status of services, if system access to services has been established inappropriately users can then correct it. If a user knowingly opens access to Disk C, it is then necessary to make certain that it is password protected with a long password with no less than two symbols.
System Administrators are recommended to protect access to ports 137 and 139 from external access. On all computers that must transmit data to external networks via these ports, it is important to check the shared resources list to make-sure they are properly password protected. Finally, Internet Providers are also recommended to close ports 137 and 139 to their clients and open them only upon special request to execute specific tasks.
"Opasoft" infects only computers running Windows 95/98/ME , therefore the measures outlined above are not needed for computers using other operating systems, for example, Windows 2000 or Windows XP.
www.kaspersky.com
Printer friendly Cite/link Email Feedback | |
Publication: | Software World |
---|---|
Date: | Nov 1, 2002 |
Words: | 515 |
Previous Article: | Kaspersky top twenty. (Virus Notes). |
Next Article: | Tanatos. (Virus Notes). |