Sign in to follow this  
Guest

W32.Opaserv.worm ..wont go away!!

Recommended Posts

Hi,It is extremely hard to believe that nobody has yet posted this problem. I have Norton Installed, it updates every day and I also have Protector Plus installed. I have the W32.Opaserv.worm removal tool (4 different types btw).. I have installed the Win98 MS patch that deals with the vulnerablity reagrding this worm. I have removed per Symantecs instructions the scrsvr.exe file and edited the win.ini file as well as go in the registry and clean out there.BUT.. the worm just keeps coming back over and over every time I connect to Outlook Express or the Internet via IE. Then Norton catches it and deletes. It's the most annoying thing I have ever experienced on a PC to date!!!Seems there is no fix.. just a catch using the various virus programs.I have spent hours on all the High tec PC forums and Newsgroups.. most folks.. even the experts are having the same problem as I am.Anyone else having this problem?My last resort is to try writing my own scrsvr.exe file using Notepad with 0 bytes and making it 'read-only' and placing it in the Windows directory. I'll do this tonight, it is supposed to fool the said worm and folks have had no problems after doing this according to recent newsgroup postings on the subject.Incidentally.. since visrus's these days are getting clever, is it worth AVSIM creating a "virus information forum" At least you can talk over these problems with fellow flightsimmers.Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post
Help AVSIM continue to serve you!
Please donate today!

Reading Symantec's response regarding this, it discusses how the virus replicates, but it doesn't discuss how a host gets infected. I suspect you may have been infected as a host, vs. being a network/DSL/Cable share. Let's assume the infection came via an attachment. Several new virus/worm's can be executed without running the attachment...simply previewing the message may cause it to execute. So it's possible you still have the message in Outlook that infected your system in the first place. You'd have to find it and delete it.If you know the date when the infection first appeared, you might be able to identify other files it has "played" with. Do a search for all files modified on or after that date. Pay close attention to any strange .ini files, html files, .bat files, etc..... Rename those that are suspect. Also, when cleaning it, restart your system in safe mode, then do the registry and win.ini modifications.... A lot goes on when you launch Outlook Express and IE. I don't know how, but Aureate spyware "Attaches" itself to IE through an uncommon vector in the registry. It is possible that the worm you have has done the same thing, even as a variant of the original worm.One of the toughest things to troubleshoot remotely is an infection like yours. I support about 150+ workstations and about 10 remote laptop users. Whenver I hear of one of our laptop users infecting their system, my response is always the same--ship it... I'm afraid even with the tips I've given you, it's a bit too much to tackle without actually seeing what the thing is doing on your system... But prioritize by trying the cleaning process in safe mode, then my other suggestions if that doesn't work...-John

Share this post


Link to post

Hi John,Believe it or not, the worm came from a Windows 98 update from MS. That is how most folks got it. I have another PC networked, I disabled the share drives, disconnected the cable and changed the password. Supposedly, this worm is harmless, however it is annoying. Last night I made a scrsvr.exe file with 0 bytes from Notepad and made it read only. Have not yet tested it by going on line though.Most folks according to newsgroups, including myself tried what you sugested, but there is no joy. Most folks also, are surpsised that the likes of Macafee and Norton have not yet been able to fully disinfect the worm.Outlook is fine, I deleted all e-mails and printed out the ones I wanted to keep.What surpises me the most I think, is that in the flightsm community.. no other simmers seemed to have experienced this and yet.. it is common and widespread?Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

"Believe it or not, the worm came from a Windows 98 update from MS"Which update? We have regular IT briefings, and the only thing I've heard related to updates was a bogus update notification and "spoofed" site designed to look like Microsoft's. Do you have a link to the updated file, or were you notified via email that an update was available? Really curious about how this has managed to fly under the radar....

Share this post


Link to post

The usual critical updates page on the Microsoft web site for WIN98, comes up every now again, when you go online, it's an automated feature.Have you seen the newsgroups about this worm? They have it covered as I have and have the same problems as I am having.Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

I've seen the newsgroups, and have seen many people going through what you're going through trying to remove it. Really makes me believe there's more than one variant of the critter...

Share this post


Link to post

Well.. either that.. or the source file (the culprit) has not been identified by Norton or Macafee guru's.. Remember I told you I created a dummy scrsrv.exe file? .. I havent tried it yet.. (by going online I mean) but I will do tonight when I get home. I'll let you know.Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

I also have this problem but I'm no computer wizard. Could you please be so kind as to tell me how to create a dummy scrsvr.exe file.ThanksPaul Gardner

Share this post


Link to post

Seems Opaserv has come back to haunt us in another way.. 'brasil.pif' and YET AGAIN.. the Norton guys are useless in preventing it!!!here is the fix...Open Notepad.. save as Brasil.pif and do it again and save as scrsvr.exe and put both (0 bytes)in your WINDOWS directory.Right click properties, and mark as 'read only'..Opaserv will go away.Whats the deal with Norton? Can they not remedy the Opserv worm?Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

Trev,The SimWorks (www.thesimworks.co.uk)have a very effective on line worm, virus killer updated daily. It worked 200% for me after Norton missed it.The new worm, Opaserv.E(W32/Opaserv.E). This malicious code is particularly adept at spreading across networks, which makes it especially dangerous for corporate environments. Opaserv.E spreads across shared network drives and copies itself asBrasil.exe or Brasil.pif, going resident in the affected computer. Itcreates an entry in the Windows registry in order to ensure it is run on every system startup.The worm tries to connect to two separate Internet addresses in order to download applications and run them on the infected computer. However, these addresses are at present inaccessible.Opaserv.E is a variant of W32/Opaserv, which first appeared on September 30.Good luckGeorge

Share this post


Link to post

Tried it.. doesnt work.. none of the remoaval tools work, they only prevent or flag incoming ones.Take a read of the newsgroups.. even the PC guru's are having a problem. It has become a HUGE subject.The only thing that DOES work is to fool the worm and create files as read only with 0 bytes from Notepad.I have three so far..brasil.pifbrasil.exescrsvr.exeNorton, Macafee have no clue and that surprises me.Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

Trevor,I just tried it myself again with no problems...strange ! I've noticed some times all the componants dont load first time,trying again seems to load them eventually. I used this at work and home and found it the most effective. Only my opinion but it kicks Norton which has let us down 3 times now. Tomorrow we'll be buying Panda, Zone alarm pro and dumping Norton products forever.George

Share this post


Link to post

There may still be a way to catch this critter...Do a scan of your registry... First start by looking for IEXPLORE.EXE. What you are looking for is an entry in your registry, followed by a secondary entry (may be an .exe, .pif., etc). That secondary entry should look pretty foreign. That may provide a clue as to what is still being used on your system to look for the .pif's and exe's you mention.This is how the Aureate spyware attaches itself to I.E. Adware catches the entry, but since Adaware only looks for known spyware, it's probably useless for this worm. Since you mentioned the worm seems to reactivate when email is opened, it may be using a similar vector w/Outlook.You are quite right about sys admins being stumped. I have a feeling that none of the major virus firms have considered that what I call the "tagalong" option may be in play. Most viruses stay present by using standard vectors--run, runonce, runservices, etc.... This one I suspect is attaching itself in the same way Aureate does...-John

Share this post


Link to post

Thanks John,And thanks for understanding a major problem here. It is hard convincing folks of the problem.I did search the registry and found stuff there which I have since deleted.scrsvrbrasil aliverThe most annoying virus I have ever seen in my life.Norton.. where are you with this? :-(Regards.. TrevVisit "The DC-3 Hangar"http://www.douglasdc3.comhttp://www.douglasdc3.com/1/dc3.jpg

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this