From; Sophos Alert System: Name: W32/Opaserv-V Type: Win32 worm Date: 24 June 2005 Detected by Sophos Anti-Virus since November 2003. Information about W32/Opaserv-V can be found at: http://www.sophos.com/virusinfo/analyses/w32opaservv.html W32/Opaserv disinfection instructions and FAQ W32/Opaserv variants are worms that spread over both internal networks and the internet by exploiting open or weakly protected C: drive shares. They mainly affect Windows 95/98/Me computers. 1. How do I get rid of W32/Opaserv? 2. How do I prevent reinfection by W32/Opaserv? 1. How do I get rid of W32/Opaserv? Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. Windows 95/98/Me and Windows NT/2000/XP/2003 The following W32/Opaserv variants can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the Resolve tools below: Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis. W32/Opaserv-A, W32/Opaserv-B, W32/Opaserv-C, W32/Opaserv-D, W32/Opaserv-E, W32/Opaserv-F, W32/Opaserv-Fam, W32/Opaserv-G, W32/Opaserv-H, W32/Opaserv-I, W32/Opaserv-J, W32/Opaserv-K, W32/Opaserv-L, W32/Opaserv-V. Windows disinfector OPASEGUI is a disinfector for standalone Windows computers open OPASEGUI run it then click GO. If you are disinfecting several computers, download it, save it to floppy disk and run it from there. Read the notes below on preventing reinfection. Command line disinfector OPASESFX.EXE is a self-extracting archive containing OPASECLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program. Read the notes below on preventing reinfection. Other platforms To remove W32/Opaserv on other platforms please follow the instructions for removing worms. 2. How do I prevent reinfection by W32/Opaserv? All variants of W32/Opaserv spread over both internal networks and the internet by exploiting open or weakly protected C: drive shares. Upon infection the virus is written to the WINDOWS folder, and the file WIN.INI is edited to run the virus each time the computer is rebooted. Although Sophos Anti-Virus will prevent this file from being run it will not prevent it from being copied initially. However, when the change to WIN.INI attempts to run the virus when the computer is rebooted, InterCheck will find it and prevent it from running. To stop this happening, right-click the C: drive in Windows Explorer, select Sharing, then unshare the C: drive. Password protecting your shared C: drive may not be enough to prevent access by W32/Opaserv. Shares created on individual folders other than the Windows folder will not attract infection by W32/Opaserv. To improve the security of password protected shares install the patch. If for some reason it is necessary for you to share the C: drive of a Windows 95/98/Me computer attached to the Internet you should consider installing a firewall. Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Opaserv-V from: http://www.sophos.com/downloads/ide/opaservv.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member