W32.Opanki


Aliases:  Win32.Trykid.J, IM-Worm.Win32.Fliz.a, W32/Opanki.worm, W32/Oscabot-H, WORM_OPANKI.N
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 18 May 2005
Damage: Medium

Characteristics: W32.Opanki is an IRCworm that spreads through AOL Instant Messenger. It is also described as a worm that has backdoor capabilities. It uses Kazaa file-sharing networks to propagate. Users using peer-to-peer sharing programs are prone to this worm. It is believed that there are still a lot of bugs in the program. Once executed, it modifies system registries so that it runs when windows starts. The worm cannot continuously be successful in copying itself.

More details about W32.Opanki

There are more than 20 known variants of this worm which propagats via hyperlink received via AOL Instant Messenger. Recipients may receive a message such as, “hey check out this” and “hehe :) i found this funny movie.” This message can also be exploited by a remote attacker in transmitting this message through AOL Instant Messenger stating, “Body: check this out, is that you?” Once this hyperlink is clicked, the user will be prompted to either run or save this file. This is an infected and executable file copy of the worm. It simultaneously connects to a remote IRC server then will logon to an identified channel to pause for additional instructions. These instructions maybe a command for the “bot” program to transmit the aforementioned hyperlink to all recipients on the infected users buddy list. Reports say that this bot is not considered as a worm, for it requires a “bot” commander to start the "spimming" or hat is known as IM spam practice.

The main function of the W32.Opanki program is possibly as a backdoor-creation program. This sub-routine of the application will open up the machine to remote users by means of an unsecured port. There were speculations that the malware will listen to a remote server or a specific channel for possible commands from remote users to initiate its attacks. This worm application allegedly uses a rootkit design to install its components onto the victim's machine. The malware may possibly reside in the memory as it modifies Registry values to allow it to load during Windows startup. There were claims that this malware will continue residing in the computer's memory during its activity to avoid detection. It doesn’t have active window or user interface, as well as a process in task manager that will give way to its existence on the compromised machine.