[virusinfo] W32/Opaserv-V

From: "Mike" <mikebike@xxxxxxxxx>
To: virusinfo@xxxxxxxxxxxxx
Date: Fri, 24 Jun 2005 13:33:58 -0700
From; Sophos Alert System:

Name: W32/Opaserv-V
Type: Win32 worm
Date: 24 June 2005

Detected by Sophos Anti-Virus since November 2003.

Information about W32/Opaserv-V can be found at:
http://www.sophos.com/virusinfo/analyses/w32opaservv.html

W32/Opaserv disinfection instructions and FAQ
W32/Opaserv variants are worms that spread over both internal networks and the 
internet by exploiting open or weakly protected C: drive shares. They mainly 
affect Windows 95/98/Me computers.

1. How do I get rid of W32/Opaserv?
2. How do I prevent reinfection by W32/Opaserv?

1. How do I get rid of W32/Opaserv?
Resolve is the name for a set of small, downloadable Sophos utilities designed 
to remove and undo the changes made by certain viruses, Trojans and worms. They 
terminate any virus processes and reset any registry keys that the virus 
changed. Existing infections can be cleaned up quickly and easily, both on 
individual workstations and over networks with large numbers of computers.

Windows 95/98/Me and Windows NT/2000/XP/2003

The following W32/Opaserv variants can be removed from Windows 95/98/Me and 
Windows NT/2000/XP/2003 computers automatically with the Resolve tools below:

Note: When disinfecting variants not listed above, use the recovery 
instructions in the appropriate virus analysis.

W32/Opaserv-A, W32/Opaserv-B, W32/Opaserv-C, W32/Opaserv-D, W32/Opaserv-E, 
W32/Opaserv-F, W32/Opaserv-Fam, W32/Opaserv-G, W32/Opaserv-H, W32/Opaserv-I, 
W32/Opaserv-J, W32/Opaserv-K, W32/Opaserv-L, W32/Opaserv-V.

Windows disinfector

OPASEGUI is a disinfector for standalone Windows computers

open OPASEGUI 
run it 
then click GO. 
If you are disinfecting several computers, download it, save it to floppy disk 
and run it from there.

Read the notes below on preventing reinfection.

Command line disinfector

OPASESFX.EXE is a self-extracting archive containing OPASECLI, a Resolve 
command line disinfector for use on Windows networks. Read the notes enclosed 
in the self-extractor for details on running this program.

Read the notes below on preventing reinfection.

Other platforms

To remove W32/Opaserv on other platforms please follow the instructions for 
removing worms.



2. How do I prevent reinfection by W32/Opaserv?
All variants of W32/Opaserv spread over both internal networks and the internet 
by exploiting open or weakly protected C: drive shares.

Upon infection the virus is written to the WINDOWS folder, and the file WIN.INI 
is edited to run the virus each time the computer is rebooted. Although Sophos 
Anti-Virus will prevent this file from being run it will not prevent it from 
being copied initially. However, when the change to WIN.INI attempts to run the 
virus when the computer is rebooted, InterCheck will find it and prevent it 
from running.

To stop this happening, right-click the C: drive in Windows Explorer, select 
Sharing, then unshare the C: drive. Password protecting your shared C: drive 
may not be enough to prevent access by W32/Opaserv. Shares created on 
individual folders other than the Windows folder will not attract infection by 
W32/Opaserv.

To improve the security of password protected shares install the patch.

If for some reason it is necessary for you to share the C: drive of a Windows 
95/98/Me computer attached to the Internet you should consider installing a 
firewall.


Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Opaserv-V from:

http://www.sophos.com/downloads/ide/opaservv.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member
[virusinfo] W32/Opaserv-V

Other related posts:
