Once again, our weekly report on malicious code will focus on worms. This week we will be looking at the “N” and “O” variants of Opaserv along with Horo, Sahay and a Trojan called Trj/W32.Sevic.
Opaserv.N and Opaserv.O spread through shared network drives by exploiting the Share Level Password vulnerability, which is based on an inconsistency in the protection of passwords used in Windows Me/98/95 operating systems. In order to spread to other computers, the “N” variant modifies entries in the Windows Registry and creates several files in affected computers. It also tries to connect to other drives in the same network as the affected computer and to random IP addresses.
Opaserv.O activates on or after December 24 2002. When it activates it deletes all the data stored in the CMOS (BIOS or computer Setup) and the content of the hard drive. Once it has carried out its infection, it restarts the PC and displays a message that appears to be a warning about the version of Windows installed.
Horo is a mass-mailing worm that reaches computers in a file called “HOROSCOPE.SCR” attached to an e-mail message with the subject: “Today’s free horoscope”. This malicious code creates multiple copies of itself and inserts a large number of entries in the Windows Registry, which significantly reduces the memory available on the hard disk and could prevent the computer from starting up correctly. Once it has carried out its infection, Horo sends itself out to all the contacts in Outlook’s Address book.
The fourth an final worm in today’s report is Sahay, which is sent in a file called “MATHMAGIC.SCR” attached to an e-mail message with the subject: “Fw: Sit back and be surprised…”. This malicious code tries to remove another virus called W32/Lentin and like Horo, it sends itself out to all the contacts in Outlook’s Address book. Sahay also modifies files with an “EXE” extension by adding its infection code to the original content of these files. When it has carried out its infection, it restarts the affected computer.
We are going to finish today’s report with Trj/W32.Sevic. This Trojan can block access to computers with versions of Windows in English. A clear indication that this Trojan has reached your computer is an animated GIF image of black silhouettes and obscene content, which is displayed the first time this Trojan activates.