Worm.Win32.Opasoft.a, Brasil
Opasoft.a, also known as "Brasil" is a new variant of the
"Opasoft" worm that appeared in the middle of October 2002.
The differences are:
1. The original "Opasoft.a" worm is not compressed. The "Brasil"
variant is encrypted by the "PCPEC" PE EXE file encryption
utility and then compressed by the "UPX" PE EXE files compression
tool.
2. The text strings are patched. For example, the following
strings are replaced:
"ScrSvr", "ScrSin" -> "Brasil"
"ScrSout" -> "Brasil!"
"scrupd" -> "puta!!"
"www.opasoft.com" -> www.n3t.com.br
As a result the "Brasil" modification behaves a bit differently,
however the spreading and backdoor routines are exactly the same
as with the original worm variant.
The Opasoft.a worm installs itself to the Windows directory under
the name "brasil.exe" or "
brasil.pif
" (depending on the "Brasil"
patch variant) and registers this file in the auto-run registry
key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Brasil = %worm name%
While infecting remote computers the
Opasoft.a worm uploads
itself under the "brasil.exe" or "brasil.pif" name, and writes a
corresponding string to a remote WIN.INI file.
The backdoor routine goes to the www.n3t.com.br WEB-site and
performs the following actions:
* it downloads and executes its new version (if there is one) from this site
* it downloads and processes script files placed at this site
