buzaw
01-20-2003, 03:35 PM
Following Tileman's advice I did some searching on the internet as to how to deal with the three worm viruses in one of my computers which Norton could not fix or quaranteen. Here is where I found some help and thought some might like to know in case you are hit with this. Had I not had my C drive open to "share" it appears that I would have not got infected with this worm.
At this link you get "page not found." Click "virus analysis" on that page and it will give a long list of viruses and how to deal with them.
"W32/Opaserv-A is a worm that spreads via network shares.
When executed the worm will create a file called scrsvr.exe or alevir.exe in the Windows folder on the current drive. W32/Opaserv-A then adds one of the following registry entries to run itself when the system starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ScrSvr =
C:\WINDOWS\ScrSvr.exe
or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \alevir =
C:\WINDOWS\alevir.exe
The worm scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a share is found the worm is copied to the Windows folder of that share and modifies the win.ini file so that the worm is executed the next time Windows is started on that computer. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm.
W32/Opaserv-A also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable.
The following three non-viral files may be found in the root folder of infected systems:
tmp.ini
scrsin.dat
scrsout.dat"
http://www.sophos.com/virusinfo/analyses/w32opaserv (http://www.sophos.com/virusinfo/analyses/w32opaserva)
At this link you get "page not found." Click "virus analysis" on that page and it will give a long list of viruses and how to deal with them.
"W32/Opaserv-A is a worm that spreads via network shares.
When executed the worm will create a file called scrsvr.exe or alevir.exe in the Windows folder on the current drive. W32/Opaserv-A then adds one of the following registry entries to run itself when the system starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ScrSvr =
C:\WINDOWS\ScrSvr.exe
or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \alevir =
C:\WINDOWS\alevir.exe
The worm scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a share is found the worm is copied to the Windows folder of that share and modifies the win.ini file so that the worm is executed the next time Windows is started on that computer. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm.
W32/Opaserv-A also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable.
The following three non-viral files may be found in the root folder of infected systems:
tmp.ini
scrsin.dat
scrsout.dat"
http://www.sophos.com/virusinfo/analyses/w32opaserv (http://www.sophos.com/virusinfo/analyses/w32opaserva)