Related Resources • Virus Encyclopedia • Glossary of terms

Elsewhere on the Web • F-Secure Description

On the night of September 30, 2002, a network worm with backdoor capabilities was discovered spreading over local networks and the Internet using Microsoft Windows's NETBIOS services. The Opaserv worm broadcasts probes of port 137 searching for vulnerable machines and, when one is found, sends specific SMB packets on port 139 and attempts to copy itself over and infect the new machine. Once accomplished, the worm installs itself to the Windows directory as scrsvr.exe and modifies the 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' registry key adding the value 'ScrSvr = C:\Windows\scrsvr.exe' in order to load on startup. The original worm file is then deleted.

Opaserv immediately begins infecting the local network, searching out open "C\" shares. When discovered, Opaserv copies itself to the Windows directory, again as 'scrsvr.exe', and creates a file named tmp.ini in the root of C:\. The machine's WIN.INI file is then modified to add 'tmp.ini' to the Run= line, causing it to be loaded on startup. The path and modification of WIN.INI are absolute, thus the network infection routine works only on Windows 9x systems.

Opasoft also tries to connect to www.opasoft.com, upgrade itself, and download new script files. According to F-Secure, the site has since been shutdown, and thus the worm is unable to do more than simply propagate. Machines infected prior to the shutting down of the website could expect to find ScrSin.dat, ScrSout.dat, and scrupd.exe.

To remove the worm, scan the system with antivirus software updated on or after 10/01/02, deleting any files deemed infected with the Opaserv worm. Also, edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key and remove any reference to the worm. Finally, edit the WIN.INI file removing 'c:\tmp.ini' from the Run= line.

Unless certain the machines were infected after the www.opasoft.com site was shutdown, it should be considered that machines might have been further compromised. User login and passwords should be changed accordingly and affected systems checked for other signs of intrusion.