Weekly Virus Report - Bugbear and Opaserv Infections
Posted on 07.10.2002
W32/Bugbear has been the main protagonist of this week's virus activity, followed, to a lesser extent, by two variants of W32/Opaserv.

W32/Bugbear spreads via e-mail (in a message which is very difficult to identify as its subject, contents and the name of the attached file change on each infection) and across shared network drives. This worm affects several antivirus programs and firewalls in order to leave the computer defenseless against other viruses and attacks.

Since W32/Bugbear spreads across resources shared on a network, it might flood printers by printing its binary code. The worm also takes advantage of a known Internet Explorer vulnerability, which could allow attached files to be run automatically by simply viewing messages through Outlook's preview pane. Finally, it uses port 36794 to establish remote connections.

The other two malicious codes we will look at here are W32/Opaserv and W32/Opaserv.D, which spread across shared network drives and try to connect to a web page in order to download updates of themselves. To carry out infection, both these files create a file called SCRSVR.EXE in the Windows directory, which contains the infection code. W32/Opaserv.D also generates a file named TMP.INI in the root directory of the hard disk and enters a command in the WIN.INI file in order to run itself.

Finally, W32/Opaserv looks for network addresses as well as some random IP addresses, and makes calls to port 137. On getting a response, it spreads through port 139, copying itself to the remote computer's C:\Windows directory.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th