opaserv variation warning

and yet another variation:
Madrid, October 21, 2002 - Panda Software's technical support services, the
company's Virus Laboratory and Panda ActiveScan, the online virus scanner,
have all been recording incidents involving the new worm, Opaserv.E
(W32/Opaserv.E). This malicious code is particularly adept at spreading
across networks, which makes it especially dangerous for corporate
environments.

Opaserv.E spreads across shared network drives and copies itself as
Brasil.exe or Brasil.pif, going resident in the affected computer. It
creates an entry in the Windows registry in order to ensure it is run on
every system startup.

The worm tries to connect to two separate Internet addresses in order to
download applications and run them on the infected computer. However, these
addresses are at present inaccessible.

Opaserv.E is a variant of W32/Opaserv, which first appeared on September 30
and became one of the viruses most frequently detected by Panda ActiveScan.

AAAARRRRRRGHH!!!! Some dip downloaded it here at the high school!!!:rolleyes: :( :flame:

anyone know of a fix? Right now I have to manually edit the win.ini and registry. on every machine

go to www.pandasoftware.com and click on the opaserve e listing in the new virus box on the right..when you get to that page, click on the highlighted how to disinfect. on that page at the bottom is a tool called pqremove that you can download. kids are so much fun..aint they?

thanks!! btw it was a teacher!! :rolleyes: :rolleyes: :D

Thanks for the warning!:)

I have disinfected this virus several times over the past few days, both manually and using symantecs removal tool.
On one PC, the damn thing keeps coming back, and im at a loss where to look next.
All brasil/scrsvr references are removed, win.ini and registry edited. After a shut down (wait) and run of the tool in safe mode all seems well. But then later that day up pops Norton to say its quarantined another infection. There has been no connection to the net at this point, as the phone line was unplugged earlier .On any reboot, the windows pop up again saying scrsvr.exe cant be found. Sure enough, all entries are back in Win.ini and registry. The Opaserve tool, and a scan by Norton find nothing.
The only difference is a file ive not seen before by the name of alevir.exe being in the virus line on Win.ini.
I have tried deleting win.ini from C:\Windows\Recent as well, but to no avail.
Anyone help here??

Quote:

---

Originally posted by geoscomp
...This malicious code is particularly adept at spreading
across networks, which makes it especially dangerous for corporate environments...

---

No I'm not! Well, maybe a little! :p

Haven't had any instances of this one yet.

Sounds like a lot of fun. :mad:

when you say no connection to the net, do you mean no connection to any network as well?..Have you run an online virus scan after cleaning up and before rebooting?..if there is no network connection, then it has to be a registry entry or something in the renamed win.ini file. opaserv creates a pif.ono file, and then renames it win.ini. have you looked for pif.ini anywhere? also check msconfig for anything is win.ini and uncgheck it there

All net/network disabled by unplugging.
Msconfig, win.ini and registry are cleaned. Any references as per your reply searched and destroyed if found. All done in safe mode.
Online scans tried - nothing found. Norton - nothing. Panda and Norton fix tools - system clean.
Reboot only after power down and purge of residual current.
On reboot - its all back.
???????????????????????????????????????????

Judge__Dredd, have you run fdisk /mbr?

also from pandasoft:

W32/Opaserv creates the following file:

SCRSVR.EXE, in the Windows directory. This file contains the infection code.

W32/Opaserv inserts the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run "ScrSvr" = %WinDir%\ SCRSVR.EXE

I haven't seen this in any of my regs, but it may be in yours.
On some of my machines I've just deleted scrsvr.exe

Yep. Done it - but thx.
Ive followed the info from Panda and Norton. But no-one has referred to this file alevir.exe as yet. This is what I think is causing it, although I have removed its refferences in msconfig, registry under every RUN string, and Win.ini as well as c:\windows\system.
Its hiding somewhere else, as something else, and has eluded me so far.. Ive searched for it by name, but come up with nothing.
Im going to get onto Symantec with it right away before i pull the rest of my hair out. :confused: :confused: :confused:

Stop press. My mate here has just found a reference to alevir on netspy. But only a reference, no info.

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager.
For Win98/WinME users, please see NOTE below
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
ALEVIR.EXE
Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 9x/ME, Windows Task Manager does not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, Restart your system before proceeding to the next instruction.

try this..i found it on trend micro virus encyclopedia under opaserve f..heres the whole link:
http://www.trendmicro.com/vinfo/viru...WORM_OPASERV.F

Many thanks.
That write up was only made yesterday as well!
Weve had the unit here for two days.

Heres the extract from your link that has just cured it.

"It also creates a file named PUT.INI in the C:\ directory and copies the content of the configuration file WIN.INI located in the Windows directory into this file. It then adds the following entry in the [windows] section of PUT.INI:
This worm then copies back the contents of PUT.INI to WIN.INI. These changes allow ALEVIR.EXE to execute at every Windows startup."

Although we should have spotted put.ini before!

looks like you have the newest variation..f instead of e..lucky you

I feel honoured - not!!:D :D :D

But very greatful for your help - thanks.;)

Not just put.ini.
Damn thing kept coming back!!

You also will need to delete Win.sys.

Madrid, October 27, 2002 - According to data gathered by Panda ActiveScan,
this week's virus activity has centered on variants "E", "F" and "G" of
Opaserv.

This week, 16.79 percent of total virus infections detected by Panda
Software's free, online scanner have been caused by either Opaserv,
Opaserv.E or Opaserv.F, as compared to 12.68 percent of infections caused by
Klez.I. According to Luis Corrons, director of Panda Software's Virus
Research Laboratory, "This is very significant, as Klez.I has been the most
frequently detected virus by Panda ActiveScan since April. Now, however, its
place at the top of the ranking seems to be jeopardy".

Opaserv and its variants enter computers via the Internet, using
communication ports 137 and 139, which are normally open by default. If the
infected computer shares files or resources with other computers, this
malicious code will spread to these by exploiting a vulnerability in Windows
9x and Me known as "Share Level Password". This enables any variant of
Opaserv to spread quickly to all computers in a network.

On the subject of Opaserv and its variants, Luis Corrons adds, "These worms
are favoring the reappearance of other, older, malicious codes such as
W95/CIH or W32/Funlove. "This is due", he explains, "to the fact that
Opaserv copies itself to computers it affects. If these computers are
infected with a virus, Opaserv will also become infected and spread
infection wherever it goes." For this reason it is advisable that users
install an efficient antivirus that can eliminate every known malicious
code. Antiviruses must also be periodically updated in order to protect
computers against any new virus threats.


just what we need..a virus infected with a virus:mad: :mad: :mad:

Yep. It did contract W32.Funlove.4099 as well!
The customer whos PC it was, only had the PC new from us on Wednesday. It had Norton 2003 on it as standard, with the latest virus defs of 16 Oct. He got the first warning from Norton just 5 minutes after first boot up whilst checking his hotmail! That didnt stop the virus dropping its files though despite it identifying it as Opaserve. Weve since checked his old PC out (for free and out of curiosity) and its riddled. Its got over 2500 infections across 12 viruses).
I would have expected the "...ive only had it 5 mins and its gone wrong - and I thought you said Norton was good....." etc speech, but nope. He was very pragmatic about it. We showed him all the links to sites so that he could see how new his virus was, and he was fascinated. Poor bugger though....... after just 5 mins!

Ive always been a Norton fan, and found there write ups to be very current, and quick to update. But they havent got this one all there yet. A search for alevir gets no results.

BTW i referred to win.sys. I meant delete win.syd.

Every antivirus seems to have a problem with one or another virus. Even though I use Symantec enterprise on this network, I subscribe to the warnings from Panda..Being located in Spain, they seem to have a day or so head start on some of the stuff migrating from Eastern Europe and Asia. You can subscribe to the warnings..(and so can your customer if he's interested)..at their home page. We've used Panda for disinfecting machines from dos for about three years now, and have been quite happy about it, but the dos disinfection only works on fat and fat32 partitions, not on ntfs.

cheers geoscomp :D :cool:

I have been dealing with this one for a week at one of our smaller client sites. Same thing, scrsvr, brasil, and alevir, this guy had them all. I installed Norton 2003, latest definitions, and cleaned all computers manually. Next day, all entries were back. Cleaned again (four pc peer-to-peer setup, disconnected from network cablese while cleaning), ran full scans, back again the next day. Went back, recleaned, logged onto the internet (he uses MSN) and watched Norton quarantine five files in 15 minutes. Everytime he got online, the virus would retur. I figured switch ISPs, new account, new IP's, everything. 15 minutes later, its back! I spent $69.95 calling Symantecs "Premier Support" (getting the number and getting a human is another horror story in itself!), and was told to "get a firewall". This guy had spent enough and I already ate over 5 hours on this job, so I got the free version of ZA (I know...), set it up and... no more infections!?! Don't know why or how it was coming back in after the ISP change, but it seems to have been stopped for now (keeping my fingers crossed on this one). Good luck, this one was a pain even though it is "Non-Destructive".

I've been dealing with this since last Wednesday. if you have file and print sharing enabled it will keep coming back. I've had to go back to the same machines numerous times because the teacher(s) keep enabling sharing." It's incovenient to print from one machine" :rolleyes:


My head hurts.

Unfortunately, file and print sharing had to stay as this is a small business network running shared apps and files. It's pretty sad when the answer to a virus is "disable your network". It seems that cleaning this off with all machines unplugged and not plugged back in until completion should have solved the problems if the virus was coming from a machine on the LAN. The only thing I could come up with was coming in from the internet and the firewall did prevent any more infections, so... who knows?

I deal with viruses daily, and this has to be the worst to extract.
Ive managed it succesfully on stand alone PCs, but where theres a network - its a nightmare. I cant tell them to disable file and print sharing. They cant run the business without it. Unless I do so though we are screwed. I really want to be able to nail this one down, but the big virus services dont seem to have the answer yet. It also screws with Sage as well, changing the date. Even when the virus has gone, the invoice dates revert to 2 years before. Reinstalling Sage did no good, and Sage themselves have now got involved.

I think you might be on to something, Beshman..the internet IS a network after all..it could be coming from an infected server bank on an isp jump or somewhere similar. I wonder if this is related to the recent ddos attack on the dns servers?..seems like the type of virus that would be needed to accomplish it. It also seems to be mutating very quickly to new variants, wonder if that was part of the original code? Now there is an Opaserv.H listed on Pandasoftwares site..with a new file to look for

I have had to deal with this virus on some SMALL networks and what I have found is un share the Root drive and share the folders that they need access to on the network. It stops the virus in its path because when it checks for a shared folder it looks for the windows folder then copys itself to that locate. so if you don't have the root share but other folders shared the virus is not copied to that location.

We too have been battling this virus. No solution yet. Like all of you we think we get it taken care of and then it reinfects or at least it shows up for Norton to stop it. I had our customer kind of keep a log of when he seem to be seeing it. It was happening even just browsing the Net. The strange thing is, he has a 3 computer network and so far only his Winme computer seems to be getting hit. I scanned the other two and even did a manual search and couldnt' find anything. And it does seem to be mutating he's had version a,b,d,e,g! It also occasionally shows up with spaces virus.

Now here's a related question... What do you do if you "remove" a virus for somebody but it keeps coming back? Do you charge them each time even if you are unsure if you have gotten rid of it? AS seems to be the case with this virus?

I had the same problem with a network what I did is went to properties of network removed the file and sharing on all the protocols except dial-up networking and removed net bios over tcp/ip heres what sophos has to say about it Symantec has nothing like this

http://www.sophos.com/virusinfo/anal...2opaservc.html

hope this help cause it had me going for a while now everything is back to normal

these virus is what keeps us working...

Cheers for that. What amazes me is Symantec not covering this. I normally swear by them, but theyve really made me think again now.

I always count on symantec but this time they did not have it neither did the other anti-virus companies and it's been a month that opaserv is out and still they do not talk about the network protocols well they can't always have it right...

Quote:

---

Originally posted by grandam_99
I had the same problem with a network what I did is went to properties of network removed the file and sharing on all the protocols except dial-up networking and removed net bios over tcp/ip heres what sophos has to say about it Symantec has nothing like this

http://www.sophos.com/virusinfo/anal...2opaservc.html

hope this help cause it had me going for a while now everything is back to normal

these virus is what keeps us working...

---

We are on with broadband and have a router and linux server but I followed those instructions to turn off net bios over tcp/ip anyway. The only problem is when you go into the tcp/ip properties the netbios section the enable netbios over tcp/ip is enabled and grayed out so i can't turn it off... How do I turn it off/and why would it be grayed out?

I would remove netbios and use another protocol and verify the print and file sharing settings

Agreed. That is what I have now done, and all seems sweet for the moment.
Well, until they turn them all back on again on Monday :D :D

We found that password protecting hard drive on each workstation prevents the opa from spreading...It is the only way we were able to stop it. After passwording each drive, we rebooted to safe mode, ran opa removal tool (from symantec), edited win.ini to remove string, removed string from registry startup and rebooted. Virus has not returned since.

Quote:

---

Originally posted by Judge__Dredd
I have disinfected this virus several times over the past few days, both manually and using symantecs removal tool.
On one PC, the damn thing keeps coming back, and im at a loss where to look next.
All brasil/scrsvr references are removed, win.ini and registry edited. After a shut down (wait) and run of the tool in safe mode all seems well. But then later that day up pops Norton to say its quarantined another infection. There has been no connection to the net at this point, as the phone line was unplugged earlier .On any reboot, the windows pop up again saying scrsvr.exe cant be found. Sure enough, all entries are back in Win.ini and registry. The Opaserve tool, and a scan by Norton find nothing.
The only difference is a file ive not seen before by the name of alevir.exe being in the virus line on Win.ini.
I have tried deleting win.ini from C:\Windows\Recent as well, but to no avail.
Anyone help here??

---

Well I got rid of this virus (atleast that's what all 3 removal tools, and the latest McAfee updates tell me), but it left me a little preasent. Now printing to shared printers gives an error message about 50% of the time... usually we can get it working eventualy, but it's driving me crazy because I can't figure out how to fix it.

Anyone else having freaky printer problems after cleaning this virus off thier system?

Quote:

---

Originally posted by Seeker9000
Well I got rid of this virus (atleast that's what all 3 removal tools, and the latest McAfee updates tell me), but it left me a little preasent. Now printing to shared printers gives an error message about 50% of the time... usually we can get it working eventualy, but it's driving me crazy because I can't figure out how to fix it.

Anyone else having freaky printer problems after cleaning this virus off thier system?

---

I've had to delete some printers, run the printers setup and reload the drivers.
Fixed any lingering probs I've had.


so far.......:rolleyes: :)

Blast... I already did that to no avail.

I uninstalled the printer on both the machine it's shared on, and the machine that's printing to it. I also downloaded brand new drivers from the web, thinking maybe the ones I had got corrupted. I uninstalled all the network components on said computer and installed fresh ones (new Network Card drivers from the web).

The strange thing is that one of the computers that has a shared printer giving me these problems never even had the virus (hard drive wasn't shared), so it must be the client that is the problem... weird

Ah well thanks anyways Shamus.

Well heres my issues with this worm. Okay, so i'm working at this company on 2 computers infected with this worm. I actually went to run the Symantec tool, but it didn't find any Opaserv worm. I know its there, because they have NAV 2002 loaded and tons of files in Quarantine. so i delete these files, remove any instance from the registry and win.ini, also removed 'put.ini' file. then i went to Sophos's site and downloaded the removal tool and ran the tool. Thanks to [/B]Shard92[B] for providing that link. all this time i disconnected the pc's from the network and removed the share from the root drive. One of the pc's also had printer problems, so i had to remove the driver and reinstall it and it would print just fine. It just took me several hours to track down some info on this, going here was incredibly helpful! I then updated NAV and then ran a scan and everything was clean.

This week they have had more printer woes, but no other virus related trouble.
Uninstalling printer, then reinstalling worked on one PC but not the others. Well, they did sort of work - you could see the ink levels on status manager, and it would print an alignment sheet, but came up with communication errors when in nromal printing. Print sharing was disabled on all.
The solution has held fast since Monday - swap the printers round on all the PCs!