FYI new virii

**geoscomp** · October 1st, 2002, 02:06 PM

Madrid, October 1, 2002 - Panda Software has reported two new worms, called
Opaserv (which spreads through shared network drives), and Bugbear. Although
Opaserv (W32/Opaserv) only appeared a few hours ago, it is already fourth in
the ranking of the most frequently detected viruses by the free, online
scanner Panda ActiveScan.

Opaserv has a large capacity to spread through networks, making it
particularly dangerous in corporate environments. Its main aim is to infect
other computers, especially those connected to a network. In order to
spread, it uses a file called "SCRSVR.EXE", and is activated when this file
is run. It also copies itself -under the name ScrSvr.exe- to the Windows
directory of the affected computer, going memory resident. In order to
ensure that it is run whenever the computer is restarted, it creates an
entry in the Windows Registry. Finally, it is worth highlighting that
Opaserv tries to connect to a Web address.

The second worm, Bugbear (W32/Bugbear), is designed to send itself out in a
file attached to an e-mail message. The name of the attachment and subject
and message of the e-mail are variable. This malicious code can open port
36794 in the computer under attack and, at the same time, stop applications
such as antivirus programs and personal firewalls. As a result, the worm
opens a backdoor that could allow an attacker to access a remote computer or
network.

**ilovetheusers** · October 1st, 2002, 02:43 PM

Yay! New viruses! Yay! Yay! Yay!

**NooNoo** · October 1st, 2002, 02:44 PM

Thanks for the heads up Geo

**geoscomp** · October 1st, 2002, 02:51 PM

If they are just the normal run-of-the-mill stuff, I usually don't post them, but that first one looks nasty. To go from first discovery to fourth in the ranking in a few hours is faster than anything I've seen for a while. May be another Nimda situation

**bendawgs** · October 6th, 2002, 09:41 AM

When you discover that you have this virus...what do you do to correct this problem? I purchased Norton Anti Virus and scanned the hard drive and it says it is successfully removed but I still receive a message that scrsvr.exe cannot be located...What do I do now??? Thanks!!

**DocPC** · October 6th, 2002, 10:16 AM

Originally posted by bendawgs
When you discover that you have this virus...what do you do to correct this problem? I purchased Norton Anti Virus and scanned the hard drive and it says it is successfully removed but I still receive a message that scrsvr.exe cannot be located...What do I do now??? Thanks!!

You failed to indicate what OS.....Try going to start/run and type in msconfig. Go to the start up tab and uncheck scrsvr.exe, apply and reboot. This is for 98/SE/ME it is the same for W2k/Xp unless it is running as a service. try this first.

**geoscomp** · October 6th, 2002, 10:26 AM

It probably won't show in the startup menu:
Means of infection W32/Opaserv.D creates the following files:

SCRSVR.EXE, in the Windows directory. This file contains the infection code.
TMP.INI, in the root directory of the hard disk. This is a copy of the system's WIN.INI file, with the following modification: the "run=" line is changed to run=c:\windows\system\srcsvr.exe. W32/Opaserv.D also enters the line run=c:\tmp.ini in the original WIN.INI file, which causes the worm to run.
W32/Opaserv.D inserts the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run "ScrSvr" = %WinDir%\ SCRSVR.EXE

You will have to delete the TMP.ini file from the root of your C drive, edit the win.ini file to remove the reference to TMP.INI, and removed the mentioned registry entry. Alternately, try going to the Symantec website and downloading the fix tool for this virus..It should make the changes, although I have noticed the fix tools sometimes do not work after the virus is already disinfected but not repaired.

**ilovetheusers** · October 7th, 2002, 11:33 AM

My buddy just got bugbear. I had him update the virus scanner and he also has hybris - again. Stoopid F**** people.

**Stalemate** · October 7th, 2002, 01:29 PM

Only 1 instance of Bugbear repelled on my home system so far, but I've been noticing an increase in Hybris appearances also.

**Who Me** · October 7th, 2002, 02:16 PM

Had three attempts to my personal email and 60 to our mail server today alone for the bugbear. They came in about 8 different guises, persistant little sod.

**LaSERCHiPs** · October 9th, 2002, 11:37 AM

Viruses WaaWhoo...Man I love them I make so much money by removing them ... 45 bucks a virus...people with a 5 or more we usually give them a break.

I usually remove about 5 to 10 a week

The most popular ones I got in my area is

Hybris
Nimda
Loveletter
Slator
Magistar
Klez ( Very Popular )

I have to say I accidentaly released Worms to a lot of people
Sorry...

**Queeg** · October 11th, 2002, 08:20 AM

Yeah - Bugbear is really whanging around...........
Watchout!! - those of you with mailmonitoring/sweeping software would be wise to make sure that you also enable "multiple file extension monitoring" - I've caught a couple of hybrid versions of bugbear using multiple file extension monitoring!!

This is what I'd like to do to those users who persistantly use multiple file extensions instead of sticking to convention and NOT using dots to punctuate file names->

**geoscomp** · October 11th, 2002, 09:21 AM

And now there is a new one for msn users that tries to get you to download a program masquerading as a cd key generator..installs a trojan..has anyone else noticed that most of the new virii seem to be focused on installing system control modules instead of just hosing the machine??

Thread: FYI new virii

Thread Tools

Display

FYI new virii

scrsvr.exe

Re: scrsvr.exe

Bookmarks

Bookmarks

Posting Permissions