W32/Opaserv.G
Analysis
- Virus is 32bit, with a compressed size of 12800
bytes and is a minor variant to W32/Opaserv.A
- Virus icon is that of a standard 32bit executable
- Virus attempts to connect to opasoft.com and update
itself however the hard-coded URL is no longer available
- Virus copies itself to the Windows folder as Marco!.scr and modifies the registry to load at Windows startup -
- The virus will attempt to use SMB through NetBIOS
seeking machines on the same IP subnet
- The virus will scan IP addresses within the same
domain for other shares, using NetBIOS via TCP port
137, seeking systems with open shares
-
If a system is found with an open share, the virus will copy itself to that machine in the Windows folder as Marco!.scr
-
The virus will modify the WIN.INI configuration file to load the dropped virus at Windows startup via an additional configuration file named "gay.ini" -
run=c:\gay.ini
The configuration file "gay.ini" contains an instruction to run "Marco!.scr" via "run="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
cronos = Windows\Marco!.scr