Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Opaserv.K

Overview

Threat Risk MEDIUM MEDIUM
Destructivity HIGH HIGH
Payload Completely wipes hard disk
Detection files published 05 Jan 2003 03:00:00
Description created 14 Jan 2003 07:48:00
Description updated 30 Jan 2003 02:19:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Opaserv.K

Spreading

These worms spread over networks in the same way as the earlier variant of this family.

 

Payload Details

In certain conditions (if the worm is started with more than one day seperation and it has managed to spread itself) it will attempt to overwrite the hard disk. This action often starts with an emergency shutdown of the machine. The hard disk, including all system areas are now overwritten with garbage. Such overwritten hard drives will be very difficult to recover.Every first sector on every track (including the Master Boot Sector) will be overwritten with a program which will display the following text during bootup:NOTICE:Illegal Microsoft Windows license detected!You are in violation of the Digital Millennium Copyright Act!Your unauthorized license has been revoked.For more information, please call usat:1-888-NOPIRACYIf you are outside the USA, please look up the correct contact information on our website, at:www.bsa.orgBusiness Software AlliancePromoting a safe & legal online world.

Analysis

n/a

Removal

Opaserv uses a security vulnerability i Windows 9x/ME to crack network share passwords. Download and install the patch from Microsoft to remedy this. Download Lumension Malware Cleaner (see below). Disconnect your PC from Internet and from the local network. Run Lumension Malware Cleaner. Open c:\windows\win.ini in Notepad. Search for the line "run=c:\windows\mqbkup.exe". Delete the text "c:\windows\mqbkup.exe". Save the file. If infected by the L variant, replace "mqbkup.exe" with "mstask.exe". You can now reconnect your PC to your local network and to the Internet.


Last Updated: 12 Nov 2015 11:06:10