“L” Variant of the Opaserv Worm Circulating Around

This worm has been designed to activate on or after December 24 2002 . Its actions include deleting the contents of the infected computer’s CMOS and hard disk

Panda Software’s Virus Laboratory has detected the appearance of Opaserv.L (W32/Opaserv.L). This new variant is particularly dangerous as, on December 24, 2002 or afterwards, it can delete the CMOS memory and every file in the infected computer’s hard disk.

Opaserv.L spreads over the Internet, in search of computers with port 137 open. On finding them, the worm actually spreads through port 139, copying itself to the target computer’s Windows directory under the name mqbkup.exe. It also propagates through local shared resources and network drives by exploiting the Share Level Password vulnerability that affects the following operating systems: Windows 98, 95 and Me, provided the corresponding patch released by Microsoft has not been applied.

Once installed on the system, and if the date is December 24 2002 or later, Opaserv.L activates, creating several files in the computer. The worm then restarts the infected machine and displays the following message in an MS-DOS window:

“NOTICE:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act
Your unauthorized license has been revoked
For more information, please call us at:
NOPIRACY
If you are outside the USA, please look up the correct contact information on our website, at:
www.bsa.org
Business Software Alliance
Promoting a safe & legal online world”

Finally, Opaserv.L deletes the content of the computer’s CMOS and hard disk.




Share this