Sécurité Proactive
 

W32/Opaserv.K

Threat risk

Threat risk medium
Detection files published:
06 Jan 2003
Description created:
2003-01-14
Description updated:
2003-01-30
Malware type:
Worm
Alias:
Spreading mechanism
Network
Payload:
Completely wipes hard disk

Summary

This variant of Opaserv and another one (L) contains a very dangerous payload which distinguishes them from the rest of the family.

Apart from the payload they are functionally quite similar to the rest of the family.

The K variant uses the filename mqbkup.exe
The L variant uses the filename mstask.exe
 

Spreading description

These worms spread over networks in the same way as the earlier variant of this family.

 

Threat description

In certain conditions (if the worm is started with more than one day seperation and it has managed to spread itself) it will attempt to overwrite the hard disk. This action often starts with an emergency shutdown of the machine. The hard disk, including all system areas are now overwritten with garbage. Such overwritten hard drives will be very difficult to recover.

Every first sector on every track (including the Master Boot Sector) will be overwritten with a program which will display the following text during bootup:

NOTICE:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!

Your unauthorized license has been revoked.
For more information, please call us
at:
1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information on our website, at:

www.bsa.org

Business Software Alliance
Promoting a safe & legal online world.

Removal

  1. Opaserv uses a security vulnerability i Windows 9x/ME to crack network share passwords. Download and install the patch from Microsoft to remedy this.
  2. Download Norman Malware Cleaner (see below).
  3. Disconnect your PC from Internet and from the local network.
  4. Run Norman Malware Cleaner.
  5. Open c:\windows\win.ini in Notepad. Search for the line "run=c:\windows\mqbkup.exe". Delete the text "c:\windows\mqbkup.exe". Save the file. If infected by the L variant, replace "mqbkup.exe" with "mstask.exe".
  6. You can now reconnect your PC to your local network and to the Internet. 

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Utilisation Titre Commentaire
  Stopper la propagation des virus sur les partages réseau  
  Cleaning of back-up folders on Windows Me and XP  
Imprimer la page