New Details Covering The Opasoft Worm

03 Oct 2002
Virus News


How should you protect your computer? As was reported on October 1st, the Internet suffered a new epidemic courtesy of the "Opasoft" worm, which aggressively asserted itself as one of the three most widespread malicious programs by recording numerous incidences in a myriad of countries the world over. Currently, 40% of all cases Kaspersky Lab technical support is dealing with are connected to Opasoft, a figure exceeding even those of other dangers worms such as "Klez" and "Tanatos". Distinguishing "Opasoft" is the way it spreads over the Internet. The worm scans the global network and determines which computers are running Windows 95/98/ME and on which to attempt to gain access to drive C. Next, "Opasoft" goes through access passwords to these resources and if it is successful in gaining access it promptly infects victim machines with copies of itself. To search infected computers "Opasoft" uses communications ports (137 and 139) accepted in Windows networks for exchanging data. It is precisely this fact that these ports are targeted for hacker attack. This together with the circumstance that so many users and system administrators do not follow secure policies for computer resources, predetermined the rapid spread of the Opasoft worm. Kaspersky Lab strongly recommends taking the following actions in order to avert the possibility of "Opasoft" penetration: Home Users must check if any computer services have been assigned for user files or printers. To do this, users should right click on the Network Neighborhood icon, select Properties and click on File and Printer Sharing. A window opens showing the current status of services, if system access to services has been established inappropriately users can then correct it. If a user knowingly opens access to Disk C, it is then necessary to make certain that it is password protected with a long password with no less than two symbols. System Administrators are recommended to protect access to ports 137 and 139 from external access. On all computers that must transmit data to external networks via these ports, it is important to check the shared resources list to make sure they are properly password protected. Finally, Internet Providers are also recommended to close ports 137 and 139 to their clients and open them only upon special request to execute specific tasks. Kaspersky Lab points out that "Opasoft" infects only computers running Windows 95/98/ME, therefore the measures outlined above are not needed for computers using other operating systems, for example, Windows 2000 or Windows XP. Please become familiar with the updated technical description of the "Opasoft" network worm in the Kaspersky Virus Encyclopedia.