Re: Opaserv Variant?

cridley <cridley@drtel.net> wrote:

Another one -- it's clearly silly season on Opaserv...

> Have found the following scenario on 7 client machines at two different

So we can't help you there -- the evidence is gone and you have far from enough technical details here...

> All clients were infected with what Norton AV identified as

Therefore they have open (i.e. blank password) shares or are Win9x/ME machines that are not patched with MS00-072:

   http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

That is a two-year _PLUS_ patch ferchrissakes...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> ... This happens on or off the small private

Well, if it happened "off the network" you were halucinating -- Opaserv spreads over network shares.

> ... other PCs on the networks were clean according to Norton and DOS

If it happens with the machines only on the intranet then the above is wrong too. Here's a clue or two -- if Opaserv only spreads via network shares and a machine only on the intranet (i.e. with no Internet connection) gets infected, then the infection _must_ have come from another machine on the intranet (unless someone has finally managed to develop spontaneous creation...).

> ... Networks have only dialup access. The users tried Norton's

You said above you cleaned then when off-line and after that NAV was detecting and quarantining Opaserv infection attempts. Why would you expect to find the virus on the machines at all? (Apart from in the quarantine folders _if_ you used a tool that decrypts NAV's (trivial) quarantine "protection".)

> Subsequent scans of the clients off the networks in DOS with NAV, F-prot

As we'd expect, given all the above. You have described machines protected from known Opaserv variants (but not from new ones -- they will likely nail you beforfe NAV (or any other scanenr) gets updated to detect them if/when they are released).

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> the exception of wininit.exe as a possible corrupt file on one machine

This could be anything or nothing. As you seem to have deleted it, we will not know...

> After reboot, the machines are clean. Double checked with on-line scanners

Why is that, after being "convinced" that a machine has no known virus or other malware present, you scan it again with the expectation that it will now be found infected?

Do you sit at a desk, whacking your left thumb with a hammer, expecting that next time it won't hurt?

> A day later - off the network - but on dial up, ...

Which is "off the network" in what meaningful sense?

> ... Norton catches the same bug

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Of course. The Internet is an ugly and stupid place. You should know, you are part of it...

> ... It occurs when closing IE or

As far as I can tell, that is coincidental.

> ... Norton deletes files, clean

So why do expect re-scanning it might show it as infected?

> ... Back on inet via dialup, same happens. ...

Duh...

Exactly where do you think Opaserv comes from? It clearly is not coming from your Froot Loops box when you open it for breakfast.

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> ... An interesting item is that

Report it to the Mounties... 8-)

> There is no reason any of these machines should have a session open to

So, how is that 66.130.9.147 has a connection to the nbsession port on your machine if that port is not open? (Hint: nbsession and 110 are not the same ports.)

> I can accept that the ip address could be a server for Opaserv, but I am at

You're garsping at straws and badly misunderstand how great swathes of the networking code on your machines work. Your machines are not connecting to 66.130.9.147 on its port 1302. It is connecting to you on your nbsession port (which you idiotically maintain is not open) and is connecting tou your open share of the C: drive, as a share named "C" (or to the same share which is "protected" by what is effectively a one-character password due to a critical severity bug in the Win9x/ME File & Print Sharing code for which there has been a patch available for more than two years.

> If I had a file I could identify, I would submit it to NAV, Trend,

Much better would be to fix the serious stupidity with which your network bindings, directories at the base of shares, passwords (not) protecting those shares, lack of two-year-plus critical security patches, etc leave your network open to all manner of obvious yet readily avoidable attacks.

Don't know where to look next?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Maybe I am missing the forrest for the trees. ...

No -- you are missing the forrest for the fish...

> ... Thoughts?

"You are not worthy" -- will that one do?

> Chris Ridley

People _pay you_ for your computer advice?

...
I have a suggestion to the moderator. From now on, please do not post any more of these "I'm too stupid to deal with Opaserv" questions. Point them to the archives and tell them to use the fine search function. Or point them to this list of descriptions of Opaserv, exphasizing that the spreading through network shares nature of the beast, and especially its use of a security vulnerability on popular OSes, means that fixing all the user's stupid networking mistakes is the first (and only) required step in fixing Opaserv:

   http://www3.ca.com/virusinfo/virus.asp?ID=13234

Confused? Frustrated?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   http://www.f-secure.com/v-descs/opasoft.shtml

   http://www.viruslist.com/eng/viruslist.html?id=52256

   http://vil.nai.com/vil/content/v_99729.htm

   http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html

   http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A&VSect=T

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854