Opaserv: the worst virus that I haver never seen!

I have a little computer network, one of the PC is connected to Internet with a modem. All the pcs are infected by Opaserv virus.
I swithed off the hub and I removed the virus from each computer one after another, then I installed a firewall to block the 317 port on the PC connected to Internet. I have Norton antivirus Corporation Edition updated with the last definition. Surprise, after some minutes I was connected to Internet with Outlook Express I received the communication that PC are again infected. I think Norton AV removes the worm files, but not the viral code, so the worm is newly generated, I don’t know what to do!

Can you suggest another way to remove it definitly? Which is the best Antivirus solution against this virus?

Thank you!

He,

I’m not sure but as good as i can remeber someone told me that that virus adds a line in the win.ini file maybe you should check it out!

Grtz

How to prevent reinfections of W32.Opaserv.Worm …http://service1.symantec.com/SUPPORT/nav.nsf/aab56492973adccd8825694500552355/fb0d65478e62623888256c5a0080593c?OpenDocument

Ehh… Yuck.
I just had to deal with this bug just this past weekend, part of Monday(Weekend of 11-9).

I had to manually remove the damn thing. If you cant get the removal tool, Here is what you need to keep from being infected again. Depending on how many pc’s you have, it may take some time to get it off all the machines.

Make sure unplug the pc from the network. when you are about to remove this virus

  1. Look for these files, alevir.exe, brasil.exe, cronos ormarco!,scr, scrsvr.exe. instit.bat, Gustav.sap If you have any of these files, you will get probably reinfected. The best thing to do is delete them. They more than likely will be in the Windows folder. Also look for these ,ini files - tmp.ini, put.ini and gay.ini. These are all pointer .ini’s for the damn virus. Delete them also. If you try to delete and can’t, go to the start button and type, this in “msconfig” without the quotes. This also can be accomplished with the “sysedit” w/o the qoutes. Pick the Win.ini and remove the references to these files. Also look for the other line that has loading again, command with a string of those files in it( it looks like something run=c:\Windows\Brasil.exe,c:\Windows\Brasil.pif,c:\Windows\marco!.scr,c:\windows\scrsvr.exe,c:\windows\instit.bat

. You may need to reboot after getting these off here, but make sure you remove it from the registry ( the next step)

  1. If you cant delete these because Windows gives you an excuse about these files make sure the files are unchecked or deleted in the win.ini. Go back to the start menu , run, type in regedit and click HKEY_LOCAL_MACHINE\Microsoft\Winsows\CurrentVersion\Run=
    and look to see if it has a equals sign. If it does this is the key that has the registy entry for the virus. Remove the key. Reboot the machine and run a scan to make sure all the references to it are gone.

I had a problem with installing Norton Antivirus on the 2 computers at work. We use a program for sales and it has a built in security module that stated it could not be loaded and crashed.

There was activity on our router and traffic for port 137

Here is more information if it is needed

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.h.worm.html

Thanks to all!
I think that virus is dead, removing the .ini files, it seems that the machines are cleaned.
Thanks everybody! TAAG

& make sure you remove the other files also.

You’ve no idea what a bad virus is.

Here are some:[ul][]Plastique D[]Tequila[]Vienna[]Tremor[/ul]The first 3 ones kill your partition table after a certain amount of time or a certain amount of reboots. Tequila even is self-modifying and can thus not be detected by any software reliably.

I know that the Opaserv isn’t so bad about the consequences, I wanted to tell that it can infect PC very easily and it has keystroke capabilities, so virus manufacturer can know any strings you type on keyboard, for ex. CC numbers.
In comparison resuming an erased partition is very easy…
TAAG99

Oh I know what some nasty ass viruses are. W95.cih got an bios overwritten for me.

There are tons are evil virus’s out there, dont even get me started on some of the ones I had to clean off.

i wonder if my university offers a course in virus design :wink:

Originally posted by cloakdoa
[B]Oh I know what some nasty ass viruses are. W95.cih got an bios overwritten for me.

There are tons are evil virus’s out there, dont even get me started on some of the ones I had to clean off. [/B]

Tons of viruses!?

In 20 years of computing I have not had one take control of my machine, yet ghave been called a few trimes to disinfect freind’s machines! One even had a precious business database in it and the virus would self replicate from one disk to another during disinfection! Ah, the good old PC DOS days, when Bloatware was truly Sinful!

OK, I’m not on an intranet, not on cable, don’t spend all my time on the net or exchanging files (I use my machine mostly for writing reports)… But so far I have been able to identify all of them in my email header display without even having my email scanner get into action and only seldom my real time background scanner on the odd occasion I’ve had to work with friend’s files…

I use ZoneAlarmPro, NOD32 Antivirus and TheBat! Email. What are you guys using?

I have some on a floppy disk, zipped up if you wish to play with them, but there are for test purposed only!!

Thats how I test the antivirus software. right now Im using Norton AV, PCCcillins housecall, Have outlook express fixed not to accept any attachements…and I alo use common sense about things that dont look right. Anything that looks out of place doesnt get executed. the virus on the work pc’s were not because of me.