Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

The Opaserv Worm

Windows 95, 98 and ME users, beware of the Opaserv worm. It is attacking systems by finding unprotected shares (shares that allow write access to Everyone), and then copying itself to scrsvr.exe on the victim system. It also changes the win.ini file in the path C:\windows\win.ini and then creates a new tmp.ini file in C: with the following entry: run= c:\windows\scrsvr.exe

Some versions try to update themselves by visiting a web site and then downloading a file, scrupd.exe. Opaserve then searches more new systems to infect.

The best preventative measures are:

  1. Make sure that all shares do not allow Everyone to write,
  2. Ensure your machine has a patch for a vulnerability that allows someone to connect to passworded shares by simply entering the first letter of the password (see Microsoft Security Bulletin [MS00-072]),
  3. Run antivirus software and ensuring it is updated, and
  4. Refrain from opening attachments unless you know the sender and the attachment content.

If your system becomes infected, you can clean your system with a Symantec Opaserv removal tool.

Top

OpenSSH Trojan Horse

Certain copies of the source code for OpenSSH contain a Trojan horse program that can allow an attacker to gain unauthorized access to a system. The following versions are affected:

openssh-3.2.2p1.tar.gz
openssh-3.4p1.tar.gz
openssh-3.4.tgz

FTP servers at ftp.openssh.com and ftp.openbsd.org distributed this Trojaned version of OPenSSH on July 30 and 21, 2002. On August 1, the Trojan version was removed from both sites and a legitimate version once again was distributed. Anyone who installed OpenSSH from the OpenBSD ftp server or any mirror within that time frame should consider his/her system compromised. The Trojan allows the attacker to gain control of the system as the user compiling the binary. Arbitrary commands can be executed. For more information see CERT® Advisory CA-2002-24.

openssh-3.4p1 mismatch checksums errors: The FreeBSD ports systems does auto MD5 checksumming. Apparently, the tarball was trojaned via a shell script that is called by one of the Makefiles, but the openssh program was not.

If you have downloaded the openssh tarball recently, you should do an md5 checksum of the tarball.

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:

MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

The RH RPMs built for openssh (built back when 3.4p1 just came out) are all based on the good
tarball.

For more information, see Slashdot: OpenSSH 3.4p1 package trojaned.

Top

The Phabot Worm

The Phabot worm is polymorphic (meaning that it can change itself), enabling it to infect systems and then spread to others without being detected by anti-virus software. It exploits vulnerabilities in a large number of services and programs, including the Distributed Component Object Model (DCOM), DCOM2, DameWare, the Windows Locator Service, WebDAV, the Windows Workstation Service, Windows shares, and others. Phabot also attempts to discover usernames and passwords for Internet Relay Chat (IRC) channels and FTP server access. If this worm exploits a
vulnerability on a system, it starts an FTP server on that system and then transfers a copy of the worm executable (which is usually named srvhost.exe or svrhost.exe) to the system folder (which is normally either c: winnt or
C: windows) and modifies the system's Registry so that it will execute every time the system starts. The particular Registry keys that Phabot targets are:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Phabot adds a subkey, Generic Service Process, to both keys and then adds values of "srvhost.exe" or "svrhost.exe" to these new subkeys.

If Phabot infects a system already infected by MSBlast, Sobig.F, or Welchia, it eradicates any executables for these worms. It can create an ident server and can even set up an HTTP, HTTP-S, or socks proxy for the purpose of
evading network security mechanisms. Phabot also may attempt to obtain copies of keys for Windows products and CDs, copies of Paypal cookies, and email messages. If it can connect to AOL, it attempts to send spam to other
machines, too. Infected systems form a cooperative and malicious bot network using both Gnutella (a peer-to-peer file sharing program) and IRC channels. Finally, it can launch a denial of service (DoS) attack against other systems by
flooding them with HTTP, SYN, and other types of packets.

Cleaning An Infected System

If your system becomes infected by the Phabot worm, you'll need to clean the infection by at least doing the following three things:

  1. Go to the infected machine's system folder and locate srvhost.exe, svrhost.exe, or possibly an executable with another name, and then delete it.


  2. Bring up the Task Manager by pressing CNTL+ALT+DEL. Click on Task Manager, and then


  3. Delete the entire "Generic Service Process" Registry key from
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Top

The Refoav Worm

The new W32.Refoav@mm worm is spreading rapidly over the Internet.
Arriving as a message with the subject: "No esta registrado el usuario," it infects a system if a user on that system opens the attachment (which is named "FOAVRE.exe").

Refoav copies itself into Windows systems as C:\FOAVRE.exe and then immediately creates two additional files, C:\Vbseli.vbs and C:\Datospc.dat. It sets the attributes of each of these files to Hidden and Archive; it also sets the System attribute on c:\Datospc.dat. It then adds the value: "Load"="c:\vbseli.vbs" to HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\Run in the infected system's Registry, enabling this worm to run at boot time.

Finally, Refoav uses Microsoft Outlook to transmit itself to every address in the Outlook Address Book. The best preventative measures are to refrain from opening attachments from people you do not know and keepyour system's anti-virus software current. If your system becomes infected by Refoac, visit http://securityresponse.symantec.com/avcenter/
venc/data/w32.refoav@mm.html for procedures to clean up systems that have been infected by this worm.

Top

 
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles