Virus Profile: Opachki.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 11/3/2009
Date Added: 11/3/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Trojan
DAT Required: 5784
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Indication of Infection

  • Presence of the mentioned files and registries.
  • Unexpected connection to the mentioned websites.

 

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

   

Virus Characteristics

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=7519

--

Upon execution, this trojan drops a dll component detected as Opachki.a at the following location:

  • %UserProfile%\ntuser.dll
  • %UserProfile%\local settings\temp\rundll32.dll
  • %UserProfile%\Start Menu\Programs\Startup\scandisk.dll
  • %UserProfile%\start menu\programs\startup\scandisk.lnk
  • %SystemDir%\calc.dll 

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

It also creates the following registry entries to automatically execute at startup

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    calc = rundll32.exe %USERPROFILE%\ntuser.dll,_IWMPEvents@0
      
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    calc = rundll32.exe %SystemDir%\calc.dll,_IWMPEvents@0

This trojan deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The dll component is injected into running process and monitors web traffic.

It could then inject a script tag in every website visited. causing the browser to open the website:

  • google-analystisks.us 

Currently this website serves a javascript that could replace links inside webpages to be directed to:

  • thefeedwater.com

 

   
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations