Viruslab » Virus news » Trojan.Opnis.EM

Trojan.Opnis.EM

Alias:	I-Worm/Stration, Win32.HLLM.Limar, W32/Warezov.gen!W32DL, W32/Stration.dr, Win32/Stration.GT
Length:	30 724 byte
Date of appearance/update:	2006 October
Category:	Trojan

Further informations
Details

Incidence:	Medium
Danger level:	Low
More informations:	The e-mail messages contain the malware in the attachment. The downloader is approximately 11 kbytes long, and may attempt to download and execute programs from predefined web locations. In the last 24 hours our virus lab identified about 30 different variants.

The Trojan.Opnis.EM is a typical Win32 malware and it spreads via infected emails. The mail always has a deceptive named exepacked executable attachment with an extra file extension.

Possibly it has issued early in the morning on 19th October of 2006. The "Update-KB????-X86.EXE" Trojan is a PE EXE file, packed with UPX (Ultimate Packer for eXecutables) utility. The size of the original file is approximately 67 KB. The name of the file is various, the question marks represents different pattern of numbers (example 5098, 2687, etc.).

When executed, it creates a duplicate itself as %windir%\System32 with a random, 10 character long filename. Here the %windir% signs the actual Windows folder.

It creates different registry keys, and entries for starting itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKLM\System\CurrentControlSet\Control\Session Manager]

It tries to connect to http://www6.vedasetionkderun.com/ website for downloading other malware parts.

When the Trojan executed, it still remains in the memory. After the penetrating into the computer the virus harvests all the e-mail addresses on all hard disks and sends the copies of itself to these e-mail addresses.

The Subject field of the infected mail is one from the following list:

"Good Day",
"Server Report",
"hello",
"picture",
"Status",
"test",
"Error",
"Mail Delivery System",
"Mail Transaction Failed"

The attachment of the infected mail creates file with random names, possible one of the following:

"test.log.bat"
"readme.elm.exe"
"docs.txt.scr"

It seems clearly, that all that case the attachment file has an extra, runable extension.

The main body of the infected mail is one of the following lists:

"Mail transaction failed. Partial message is available"
"The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment"
"The message contains Unicode characters and has been sentas a binary attachment."

VirusBuster products offer detection and removal with database update 9.42.3 or higher.

Languages

Viruslab

Trojan.Opnis.EM

Further informations

Details