w32.opaserv.H.worm

[zamboe]

I've got a small lan, 4 PCs that share a dsl conn.

One comp had the w32.opaserv.H.worm when one person accidentally authorized "share files and printers" the worm inmediately copied itself to other 2 comps.

3 comps got the : w32.opaserv.H.worm . Here is what I did:

1. I have downloaded the microsoft patch to resolve it and installed it.

2. Updated NAV and scanned the pc. Files were repaired and erased.

Two PCs no longer had any warning and resumed working fine. However one pc (not the original one with the worm) still giving some very annoying problem, like NAV saying every 5 minutes "w.32.opaserv.H.worm" have been found in .... file and been repaired. So I guess the worm is still there. I have done exaclty the same thing in the other 2 comps (3 weeks ago, when all happenned) and it solved the problem.

Please advice.

[gryphon]

And I am guessing format isn't the word you are looking for here ?

[zamboe]

Defently.

Considering also that I have somehow solved the problem on 2 PCs (the first one that had the worm included). I am looking for a way to solve it without any format.

[Acriku]

Can it reside in your virtual memory?

[gryphon]

As in RAM or in swap / page file ?

RAM it can't, page file. . who knows what Windows is putting in there. You can select the option to clear virtual memory on exit in the security settings of your computer.

It might be worth a try. :)

[Terror]

I'm not sure, but might it perhaps be a language incompatibility? For instance to remove the virus from my dutch winxp, i need the dutch virus removal program, the english one gives an error.

[Nyarlathotep]

I'm not sure, but might it perhaps be a language incompatibility? For instance to remove the virus from my dutch winxp, i need the dutch virus removal program, the english one gives an error.

Smart thinking

[zamboe]

The language compatibility isn't the problem. Besides as I mentioned in other two comps I've done the same procedure (all 3 comps have same NAV and same W98 language). Plz advice.

[Nyarlathotep]

The language compatibility isn't the problem. Besides as I mentioned in other two comps I've done the same procedure (all 3 comps have same NAV and same W98 language). Plz advice.

Try to make a boot disk with anti virus on one of the comps where the virus has been cleared off. Use that disk to boot up from on the pc with the problem. Maybe it finds something where you wouldn't expect it..

[zamboe]

The language compatibility isn't the problem. Besides as I mentioned in other two comps I've done the same procedure (all 3 comps have same NAV and same W98 language). Plz advice.

Try to make a boot disk with anti virus on one of the comps where the virus has been cleared off. Use that disk to boot up from on the pc with the problem. Maybe it finds something where you wouldn't expect it..

No luck yet Doc.

Any other idea ?

[Nyarlathotep]

You've tried this:

Presence of any of the following:

%WinDir%ScrSvr.exe

C:SCRSDAT.IN, C:SCRSDAT.OUT (local infection)

C:TMP.INI (when machine remotely infected)

Existence of either of the following Registry keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

"ScrSvr" = %WinDir%ScrSvr.exe

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

"ScrSvrOld" = (filename executed, if not %WinDir%ScrSvr.exe)

Considerable port 137 traffic (UDP) originating from infected machine(s).

Removal instructions:

Security Patch for 'Share Level Password' Vulnerability (MS00-072)

To protect against reinfection by W32/Opaserv.worm (and similar such network aware viruses) ensure you obtain and install this patch from Microsoft. It is relevant to the following operating systems:

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows 98 Second Edition

Microsoft Windows ME

To read more information concerning the exploit and download the relevant patch, click here.

It is also recommend that Win9x[me=Nyarlathotep]users unbind File and Print Sharing from the TCP/IP protocol. [/me]

On Windows 9x/ME, right click on Network Neighborhood on the Desktop and select properties

Select the TCP/IP protocol component that is bound to your network adapter (ie. TCP/IP -> 3Com Ethernet Adapter, or TCP/IP -> Dial-Up Adapter)

Press the "Properties" button

Select the "Bindings" tab

Uncheck "File and Print Sharing for Microsoft Networks" if it is checked

Click "OK" and "OK" again, reboot when prompted.

All Users:

Use current engine and DAT files for detection. Delete any file which contains this detection.

Note: The virus alters the WIN.INI file on remote systems after it copies itself to that system. Therefore, VirusScan may detect and remove the virus before the WIN.INI change occurs. In the scenario users may see an error message that the file SCRSVR.EXE (or other file names) cannot be found when starting Windows. To fix this, follow these steps:

Click START - RUN

Type WIN.INI and hit ENTER

Locate the run= line and remove the necessary filename after the = sign

(ie. C:WINDOWSSYSTEMSCRSVR.EXE)

Click FILE - EXIT and select YES when prompted to save your changes

Additional instructions