Proactive IT Security
W32/Opaserv
Threat risk
Threat risk low
|
Detection files published:
01 Oct 2002 |
Description created:
2002-10-01 |
Description updated:
2003-02-27 |
|
Alias:
|
Spreading mechanism
Network | |
|
Payload:
| ||
Summary
This is really a family of worms, and they are all so-called network crawlers; i.e. they spread by copying themselves to open network shares. In some cases they may even copy themselves to shares which have password protection; this is done through a security hole in Win9x/ME.Notice: On unpatched systems or systems with open shares, you may get multiple alarms from NVC, as the worm tries again and again to copy itself in from the network.
Variant A: uses filename scrsvr.exe, 28672 bytes long
Variant B: same as A
Variant C: same as A
Variant D:uses filename scrsvr.exe, 27136 bytes long
Variant E:uses filename brasil.pif, 24064 bytes long
Variant F:uses filename brasil.exe, 24064 bytes long
Variant G:uses filename marco!.scr, 12800 bytes long
Other variants exist which are very destructive. Please see separate description for these.
Spreading description
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run scrsvr = [windir]\scrsvr.exe
This ensures that the worm is run during startup.
It will try to create a mutex of a given name; if this fails it will assume it is already running and terminate.
If it succeeds, it will install itself in memory; under Win9x/ME this process will be hidden from the task list.
When infecting other machines, it will modify the WIN.INI file with an extra "run = [Windir]\ScrSvr.exe" sentence and then copy itself into the Windows directory of remote machine.
The worm attempts to connect to a web site to download a new (updated) copy of itself - this website is however down.
Other files may be created by the worm. These files, scrsin.dat and scrsout.dat, are used for data storage only and are not infectious.
Removal
- Opaserv uses a security vulnerability i Windows 9x/ME to crack network share passwords. Download and install the patch from Microsoft to remedy this.
- Download Norman Malware Cleaner (see below).
- Disconnect your PC from Internet and from the local network.
- Run Norman Malware Cleaner.
- Open c:\windows\win.ini in Notepad. Search for the line "run=c:\ScrSvr.exe" and/or "run=c:\tmp.ini". Delete these lines if present. Save the file. If infected by other variants than A,B,C or D, please look for the names outlined above.
- You can now reconnect your PC to your local network and to the Internet.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
