Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Opaserv

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 30 Sep 2002 03:00:00
Description created 01 Oct 2002 08:36:00
Description updated 26 Feb 2003 03:45:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Opaserv

Spreading

When the worm is first run, it will install itself in the Windows directory and add a reference to itself from the registry key below:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run scrsvr = [windir]\scrsvr.exeThis ensures that the worm is run during startup.It will try to create a mutex of a given name; if this fails it will assume it is already running and terminate.If it succeeds, it will install itself in memory; under Win9x/ME this process will be hidden from the task list.When infecting other machines, it will modify the WIN.INI file with an extra "run = [Windir]\ScrSvr.exe" sentence and then copy itself into the Windows directory of remote machine. The worm attempts to connect to a web site to download a new (updated) copy of itself - this website is however down.Other files may be created by the worm. These files, scrsin.dat and scrsout.dat, are used for data storage only and are not infectious.

Payload Details

n/a

Analysis

n/a

Removal

Opaserv uses a security vulnerability i Windows 9x/ME to crack network share passwords. Download and install the patch from Microsoft to remedy this. Download Lumension Malware Cleaner (see below). Disconnect your PC from Internet and from the local network. Run Lumension Malware Cleaner. Open c:\windows\win.ini in Notepad. Search for the line "run=c:\ScrSvr.exe" and/or "run=c:\tmp.ini". Delete these lines if present. Save the file. If infected by other variants than A,B,C or D, please look for the names outlined above. You can now reconnect your PC to your local network and to the Internet.


Last Updated: 12 Nov 2015 11:06:11