Beating the Dupator! Virus and Opasoft Worm
Have you ever had a virus or worm? I never had one until just a few weeks ago. Want to learn what to look for and how to get rid of it? Not all virus scanners can detect all viruses; and without the latest dat files they cannot. If a virus mutates then even the latest dat file may not work.
As many of my customers know I do not run virus scanners in the background on my machines. I only use them once in a while. I have a great firewall and an extensive anti virus utility on my server. I now use Speacial Agent PC Secure all the time when I'm on the Internet or reading email. Additionally, I use a small utility that I created for myself, it checks for added files before exiting Windows. Part of this home made utility is now included in WinSafe, in the latest version. Anyway, before all this protection, I did get a virus, Dupator! and it downloaded the Opasoft worm, that is what I believe happened. Now let me explain how I found it, and how I beat it.
I stubbled accross the file Kernel32.dll in my Windows folder, thinking not too much about it as it is a Windows file, but it belongs in the System folder. I deleted it. I thought that maybe while I was doing some maintenance work, that I had extracted it from the Windows cab files to Windows in error. Then when I went to shut down, there was a file named NULL in the root directory, which WinSafe told me about. Thinking it was from a program that I ran, I just let it be, and shut down.
Now, I have to explain what had happen just prior to this so you can understand what was going on. I had not formatted my machine for 4 years, and I was starting to have a problem with my context menus opening. They were real slow, so I started to check the registry for an error; with no luck I did some Internet research, no luck found here either. I spent about 10 hours trying to fix it without any success. So I decided that maybe it was time to format. But I don't format unless there is a FAT problem. So I rebooted and went to DOS, renamed the Windows folder to "Winold" and installed Windows to C:\Windows again. This makes a nice clean installation of Windows. Then I started opening each program and moving any needed files from Winold to Windows or I extracted new files as needed. So now you see that a misplaced file such as the Kernel in Windows could happen, or the existance of the NULL file (C:\Null) could have been created by some software starting up for the first time, and I deleted it, not paying any attention to the file date/time.
The day after discovering the NULL file, I went to reboot and the Kernel32.dll file was in C:\Windows again! Now I am suspicious! So I went to delete it, but the file was in use and could not be deleted. Windows is using the Kernel32.dll file in Windows folder rather than the one in the System folder!!! Now I know something is going on, but what? Windows always looks in its own folder first for a dll then to the System folder, so the Kernel32 will load and not the one in System.
I then reboot to DOS and deleted the Kernel32.dll in Windows and replaced the one in my system folder as well. Restarting Windows, I proceeded to the Windows folder to take a look, it was gone, but now I noticed a file Marco!.scr, and I know that is not a Windows file, So here again, I thought it was added by some piece of software I ran, as it had the current date for the creation date. But it had a scr file extension which is normally for a screen saver. So I opened the file in Notepad and found a URL to www.Opasoft.com and deleted it. I did not recognize the URL, and started up Norton Anti Virus,it found nothing, so I went about my business.
I got on line and checked my email. As I was reading the mail, I noticed that there were packets of information passing my Internet connection. I keep the Network Icon in my System Tray and the lights were flashing. I was just reading plain text email so there shouldn't be any activity. I closed the connection and started looking around my computer. I found that the NULL file was back, and decided to send it to the Recycle Bin for safe keeping. When you send a file to the Recycle Bin it gets renamed, although the file name appears in the Windows Explorer to be the same. This means that if I got a worm or virus it cannot find this file any more.
I then found that Marco!.scr was also back. Using Notepad, I found references to MARCO!.src, Brasil.exe, Brasil.pif, Scrsvr.exe, Alevir.exe, and the word DUPATOR! and a new URL www.w3???.com . I also found Brasil.pif , Alevir.exe, and Scrsvr.exe on my system, all located in the Windows folder. I then decided to check my Network configuration and found that the file sharing was checked (allow), in the bindings on the connection. I then unchecked it and thought to myself that I probably did not double check this after setting up my connection and TCP\IP Network connection with the new installation of Windows. This was how the Opasoft worm got in, and the Opasoft worm was infected with DUPATOR!. It was my fault for not double checking the bindings.
I then started up my Norton Anti virus software and it found Opasoft (Brasil.pif , Alevir.exe, and Scrsvr.exe) and fixed it. However it did not find DUPATOR!. I must admit that I did not have the latest dat files, but DUPATOR! was first found in 1999. I then copied the NULL file to C:\Temp and opened it up in Notepad again.
I got on the Internet and did some research about MARCO!.scr and found out that it enters your machine while online if the file and printer sharing is allowed. So that is where I got Opasoft worm from. Everything I read instructed to just delete these files, reset you file sharing and it is gone. I did that. But then on reboot the NULL file was back. Checked my Network connections again and they were once again reset to allow file sharing in the bindings and once again, I unchecked them to disallow file sharing. DUPATOR! would change the settings so that it could download Opasoft.
I checked the NULL file date and deleted it. The file date was from 1994 (9/24/94), why so old for a new worm and why would it not have today's date if it was just created? I did a search for files dated 9/24/94 and found that my system file Regocx32.exe was the same date and time as NULL. And while setting up my new Windows folder I found that Regocx32.exe was crashing when trying to register an ocx file. Both the C:\NULL file and Regocx32.exe in the System folder file was about 1600 bytes bigger then the Regocx32.exe file in Perfect Companions folder. The Regocx32.exe in the System folder had the word DUPATOR! in it when checking it with Notepad but not the one in Perfect Companion's folder. This explains why Regocx32.exe was crashing when trying to register ocx files, it was infected. I rechecked the Network bindings only to find they are sharing files again.
Now I want to know about DUPATOR! So I got on the Internet and went to the URL that was in the NULL file, which was closed down, to port 80 anyway. Did some research on DUPATOR! and found that it was a virus using port 163 and a few others, and that it is memory resident. Being a memory resident virus, the virus gets loaded into memory and then infects PE (type of header in a file , normally exe and dll files) files that are loaded into memory. If you delete the infected files you still have the virus if you don't kill the memory. This explains why the Regocx32.exe file in Perfect Companion's folder was different; it was not started since the virus got on to my machine.
I found many people claiming that their anti virus software found and killed Opasoft also known as Opaserv, but that it kept coming back. Some people were reporting that their anti virus software did not found DUPATOR! However, at one site, someone said that they used Solo anti virus at www.srnmicro.com , which found and fixed DUPATOR! and Opasoft. So I downloaded the trial version and ran it.
God! the first thing that it reported was that DUPATOR! was in memory, it was all over, I could not believe it, so I did not let it fix anything yet. I went and checked all the files it was reporting and found that they were all dated 6/8/00, the same date as the Kernel32.dll in the System folder. I restarted Solo and let it clean house.
I got back on the Internet and did some more research to find out how I could get both a virus and a worm at the same time. It so happens that the Opasoft worm was infected by DUPATOR! and DUPATOR! was downloading the worm from port 163 to my port 139 from the URL www.Opasoft.com which was also closed to port 80. A vicious cycle, this is why those people could not get rid of Opasoft.
After I was sure I killed both DUPATOR! and Opasoft worms, I then started replacing all the files that were infected, they all contained the current date and time of the repair, so finding them was easy. They were all about 2KB larger after fixing them, than they were before being infected. I then did a complete search of all my computers looking for the string DUPATOR! and Opasoft. I found several files in my _Restore folder with the word DUPATOR!. Windows ME uses this folder to restore your computer with the System Restore utility. So I deleted the entire folder from DOS.
DUPATOR! would copy the Kernel32.dll to the Windows folder, rewrite the GetfileAttributes command in the Kernel32.dll (the one in Windows) to activate itself when you reboot. I assume that Norton could not find it because I deleted the Kernel32.dll in Windows. And until it can replace the one in System with the infected file in Windows, it will keep copying the Kernel32.dll to the Windows folder to infect it. But why could Norton not find it in memory where it was doing all the damage?
Now I am telling you all this so that you can start checking for viruses and worms and how to go about killing them even if your anti virus does not find them. I know not everyone knows every file they have and their dates, but with a little help from your utilities you get the information. Between RegRepair 2000 "Check Libraries" function, Registry Watch's SnapShot function, WinSafe's Exit tool - Verify Check Sums - and System File Report, along with System Sentry's "System File Checker" you can learn a whole lot.
Built into our WinSafe is a series of auto checks for viruses and Trojans. It checks for them before you shut down. If it sees something wrong it will tell you, if it sees new files added or deleted to Windows or Windows\System folders it will tell you about it and can report the new or changed or missing files.
If you want to learn more about Win95.Dupator, go to http://www.avp.ch/avpve/newexe/win95/dupator.stm this site had a good explanation about it.
DUPATOR! is known by several names or mutations, Win95/DUPATOR!, W32/DUPATOR! DUPATOR! 1503
http://www.computing.net/security/wwwboard/forum/3289.html had a good article on Opasoft worm, also known as opaserv.
If you were sent to this page by WinSafe read this
If WinSafe reported a virus and the file C:\NULL was found, review the file in Notepad. If it was placed there by a program and NOT by DUPATOR! or Opasoft or other virus and you want to keep it; you can set WinSafe to not check for the file. If you need help read this page starting at the top.
Open the WinSafe.ini file in Windows. Find the section [System Check] and then change the following line:
Null=to stop checking for C:\Null file change this line to Null equals 1
NULL = 1
If this line is not there then please download the current version WinSafe .