[Dshield] W32/Opaserv-D

KeithTarrant@spamcop.net KeithTarrant at spamcop.net
Wed Nov 13 16:48:53 GMT 2002


Hi Malcom -

First let me say if one AV web site isn't clear, try some others for
second opinions.  In fact, for newish viri it is often good to check
addition AV web sites because errors in analysis and writing do occur.  I
like www.sarc.com and www.kaspersky.com, but I'll also go to
www.google.com and check for other writeups as well.

Also, very new viri are often mis-identified as their predecessors, until
signature files are updated.  You can get second opinions on scans from
the online virus scanners here:
http://housecall.antivirus.com/pc_housecall/
http://security1.norton.com/
http://www.grisoft.com/html/us_index.htm
http://www.pandasoftware.com/activescan/

Since the virus didn't fully install, maybe it is a new strain.  If Sophos
has a tool to quarentine and submit the infected files to them you should
think about using it.

Now I'll try to answer some of your questions.

----- Original Message -----
From: "Malcolm Warden" <malcolm.warden at virgin.net>
To: <list at dshield.org>
Sent: Wednesday, November 13, 2002 7:42 AM
Subject: [Dshield] W32/Opaserv-D


> Sophos AV came up with W32/Opaserv-D and W32/Opaserv-C on one
workstation this
> morning. Running a full scan elsewhere gives me a clean bill of health
but I'm
> uncertain on how the damn thing bit me in the first place and would
appreciate
> some pointers.
>
> Setup (normally)
> Small family peer-to-peer network,
>     One W2000pro machine with ISDN running ICS, protected by Sophos and
ZA Pro
>     This machine also runs Mercury mail server but nothing else
>     It checks as clean
>
>     Another Machine (Win98se) - normally a client for ICS also with ZA
Pro and
>     Sophos
>     This machine has all WP data etc stored on the W2000 machine and
runs Pegasus
>     mail etc etc from the W2000 machine.
>     This is the PC with W32/Opaserv-D and C
>
> Temporary Setup
>     Motherboard failure on the W2000 machine on Saturday - so I
temporarily placed
>     the W2000 PC data disks into an old desktop (also W2000) but did not
restore
>     the ISDN connection to this PC. Instead, I started up an ISDN
connection to the
>     PC that got the worm (but it still has ZA and Sophos so there should
be no
>     difference?)
>
> Analysis
>     Only this one PC has the worm ( two files
>     C:\WINDOWS\scrsvr.exe and
>     C:\WINDOWS\Brasil.exe )
>     The registry and win.ini were untouched but it was trying to make an
internet
>     connection without me understanding why.
>     The other PCs have file sharing enabled but are untouched and have
nothing in
>     the AV log.
>     The infected PC has 'not shared' on the Windows directory (I only
looked after
>     removing the virus so it's possible that Sophos changed that?)
>
> Questions
>     The Sophos site says 'anyone ... connected to the Internet who has
file sharing
>     enabled and who enables NETBIOS over TCP/IP is potentially
vunerable...' .
>     What  is netbios and is there something else I need to do to protect
against
>     this?

Netbios is a protocol for communications.  Netbios isn't carried by the
internet, only TCP/IP is.  But if you have  Netbios over TCP/IP enabled,
the Netbios will be converted and sent via TCP/IP.

I'm not sure that quote tells the full story.  If your File and Print
Sharing is only bound to Netbios and Netbios over TCP/IP is not enabled,
then F&PS won't work over the internet.  But if F&PS is also bound to
TCP/IP you will be just as vulnerable.

See http://grc.com/su-bondage.htm for how to use selective binding to
apply this extra layer of protection, but note that the article is a
couple of years old now.  M$ is trying to phase out Netbios with Windows
XP (although they did make it easy to add netbios back in).

Of course you should have all the critical fixes on your operating systems
and you should have passwords on your shared files/folders/disks. Another
extra layer of protection is to avoid write shares if you can.

(That password fix for W98 a few years ago, just after W98 came out,
having to do with password fragmentss being accepted as the full
password --  I found out recently from an AV company website that W98 was
accepting the first character of passwords as the full password.  The fix
has been out for years but some people never run Windows Update.  There
are now viri that try every one character password.)

>     It seems that it got through my defences somehow but did not
trigger - is this
>     correct?

Sounds right.  It is new, so your signature file might not have been
updated, or  the update might not have been out yet.

>     Is there somewhere I could look in the ZA log to spot the point of
entry?

It needed a successful connection to get in.  Your ZA probably isn't
logging successful connections, so probably no.

>     Why do I need M$ QManager? It is blocked in ZA - but would this
cause an
>     attempted dial-up before ZA said 'no' ?

Someone else will know.  Who makes it?  Can you right click on it, select
properties and tell us more.

>     Should I be concerned about the following Registry entries (All
>     HKLM\Software......Current Version\Run )
>     NvCp/Daemon Rundll32.exe NvQTwk, NvCp/Daemon initialise
>     NWiz NWiz.exe / install
>     LoadQM (can I just blow this away?)

LoadQM, that's an M$ thing for trickle downloading updates to Windows in
the background.  Not needed.

The others, I don't know.

>
> Any suggestions and pointers greatly appreciated.

You can get security tips here (appropriate for small offices too, inspite
of the URL):
http://www.cert.org/homeusers/


If you don't have an NAT router (aka cable/dsl Network Address Translation
router) you should think about getting one as an extra independant layer
of protection.  Especially if you aren't running any servers, even a cheap
NAT router provides a simple-to-setup layer of independant protection.

The thing with software AV and software firewalls is sometimes viri are
able to shut them down; and sometimes when we are changing setups, the
software AV and software firewalls aren't running for a few minutes --
although for part of that time the network connections won't be enabled
either; and sometimes we ourselves shutdown AV and firewalls as part of
problem determination.  With port 137 probes (the kind that used by viri
that spread over disk shares) coming in every 2-5 minutes this is a big
window of vulnerability.

You can connect your computers to the internet and together via the NAT
router, and then run zonealarm as an extra layer of protection on the
individual computers.  Some Linksys routers (BEFSR41 and some similar
models) even have the ability to determine if ZoneAlarm and/or PC-illine
AV are running on a PC and deny access to the internet if they aren't (but
that feature only works with ZA Pro and/or PC-illine, but you can get a
deal on them by buying them throught the router setup panel).  The BEFSR41
is being replaced with a newer version, BEFSX__ *I think*, which will be
able to handle 2 VPN sessions instead of 1, and that will maintain an
internal FW log with 1000 entries, so good deals on the BEFSR41 are
available.

And make sure you update the firmware in your router when you install it.

Good luck.

- Keith

>
> Thanks
>
> --
> Malcolm Warden
>
> [P] 01608 685592
> [F] 01608 685595
> [M] 07905 185406
>
>
>





More information about the list mailing list