nasty virus...ouch

[dragonb]

Hey guys,
a sort of heads up..
My brother got the opaserv.k virus. Nasty stuff.
It rewrote his cmos, and now on boot only displays info that his version of windows was illegal, gives a phone number, and refers to the BSA site.
Will know tomorrow whether it formatted the HD, which is is supposed to be able to do.

He was running Norton, although probably not update. A win98 machine, on Dialup that they probably used 2-3 times a week. I was pretty shocked they even got it.

Watch out for this one...also, it can be found and cleaned before it's run, and attacks the cmos.
dragonb

[sharder8]

Per Trend (Solution can be found here as well!)

Quote:

This destructive, memory-resident worm, a member of the OPASERV family of worms, propagates via shared network drives. Its destructive payloads are executed when the system date is between December 24 to 31 or when the year is greater than 2002.

This worm deletes files, overwrites the boot sector and destroys the CMOS, a critical system element which holds hardware configuration and initialization settings. These payloads leave infected systems practically unusable.

It also modifies the registry and the configuration file, WIN.INI, so that it automatically executes every Windows startup. It utilizes a known exploit that enables malicious users to access shared drives, as discussed in a security bulletin from Microsoft.

This worm runs on all Windows platforms.

Trend Micro antivirus detects this malware as TROJ_WINKILL.A with the pattern file, 413.

Harder

[Xeroid]

W32.Opaserv.K Worm information from Symantec.

Thanks for the heads-up.

Mike

Quote:

The code displays this message:

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

[cwizard]

That is a nasty one. I also had a friend get a worm from dialup. Went right through the antivirus even though it was up to date. I had been working on the machine and had to temporarily disable zone alarm. Bad move as I'm sure that's how the worm got through.

It was hard to get rid of too because it had altered win32.dll to call out when the machine was online to reinstall the worms and virus's, funlove and space.

I followed the removal directions and the machine was always clean until it connected to the internet. Then, boom, worms again.

It also messed up reinstalling zone alarm in that I could not reinstall it.

I only solved the problem by installing a different firewall, sygate defender which intercepted the altered win32.dll trying to access the internet when the machine was online. The worm had even made the win32.dll file read only so a surface reinstall of the OS would not get rid of it.

Bottom line, these virus and worm writers are nasty people and you need antivirus AND a firewall even on dialup.

Cwizard

[Bob The Great]

I have me a gigabyte! CMOS is safe as a...er...safeish thing. I have dual bios's so it will auto backup from my good bios and fix the prob Yes, I'm terribly special

[Bob The Great]

oh, BTW sorry about your bro's PC. Virus's do stink. I love to look at them, because some of them are really well programmed and can do some neat things, but programming one and setting it lose is just a stupid thing to do. Usuing your talents like that is an increadible waste.

[Wizzard~Of~Ozz]

Quote:

I have me a gigabyte! CMOS is safe as a...er...safeish thing. I have dual bios's so it will auto backup from my good bios and fix the prob Yes, I'm terribly special

What is to say it doesn't nuke your second bios when the computer starts to boot.

It's about time someone made a virus that isn't just spam, Sorry but I had given up on people being clever. I thought they all just wanted to "spread the word" so to speak lately, there have been virii like this in the past but they have been long forgotten.

Thanks for the headsup.

Is it me or does this sound like a disgruntled programmer? not a hacker.

[Chiguy]

Thanks

Quote:

Originally posted by Wizzard~Of~Ozz
Is it me or does this sound like a disgruntled programmer? not a hacker.

Sounds like a programmer friend of M$'s antipiracy commitment to me.

How many programmers does Bill employ??

Cheers
Mick

[dragonb]

ok, getting the HD back tonight...

It does display the cmos thing. I had my bro read me what was in fdisk(from a boot floppy) and there were 3 partitions, 1 novell, 2 non-dos.(was a 98 machine)
It only had 1 partition before the virus.
Virus info follows from symantec's site.

Question: Is all the data irreversably gone? Is there any programs that could recover from this? Anything not expensive that would help?
thanks,
dragonb


from symantec's site.....

Under Windows 95/98/Me, the system reboot will activate the code of the compromised MBR, which performs the following actions:
It disables the keyboard input.
It reads the Seconds field from CMOS and uses that value as a key to fill a table with 63 pseudo-random numbers.
It then uses this particular table to address in CHS-format the sector locations, which are overwritten with the pseudo-random table itself.
Such data destruction is repeated for every partition of every physical drive. This results in an enormous amount of data loss. A particular sector of the physical drives is then marked to identify that the payload was performed on it.
Then, the code displays this message:

NOTICE:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.

For more information, please call us at:

1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.