Social 101 Wiki

Opaserv payload.jpg

When the worm is run, it drops its files to the Windows directory and adds registry keys to run the worm on startup. To spread to other computers, it searches local network shares and over the internet for public networks to infect. It finds a network, and using a vulnerability unique to Windows 95, 98, and Me, "suggests" the first byte of the password to the receiving end. So for example, if the password was adam123, the worm would only have to suggest the letter "a" to the host in order to be granted access. Once access is achieved, the worm drops its files, marks itself to be run automatically on startup, and begins the process over again.

After certain conditions are met, or if the worm's registry keys are modified, Opaserv's destructive payload activates. It drops a few files to the root directory and reboots the computer. Upon booting, the MBR has been overwritten and a message displaying a fake notice from the BSA is shown to the user. This message claims that the copy of Windows 95/98/Me on the system is pirated, and that the user's license has been revoked. On physical machines, the infected hard drive will begin clicking and whirring loudly, indicating that drive usage has increased to its maximum level allowed by the drive. This is because the hard drive is being repartitioned, forcing the user to format the drive, then install a new copy of their operating system.

The MBR screen is also used on ResonateII to claim that the copy of Windows XP or up is pirated