updated 16 December '02
Description: Opasoft (also known as Opasrv) was
first detected by InVircible when it tried installing itself
to IV protected PCs, revealing a backdoor driver named Scrsvr.exe.
Variants of Opasoft use different names for the driver,
among them are Alevir, Brasil, Marco!,
or Instit.bat. Opasoft is a 'share aware' worm that
propagates through unprotected or weakly passworded shares,
uniquely. The worm file is copied to the Windows directory
on the victim PC and initialized through one or more of
the following methods: From the registry's machine 'run',
by direct call to the worm driver (Scrsvr, Brasil, Alevir,
Marco!, or Instit.bat) from a run command in win.ini, or
indirectly, by run=c:\tmp.ini, where tmp.ini calls the worm
driver through a 'run=' entry.
From the end of October '02, most chances that computers
that become infected by Opasoft, will also be infected by
older PE viruses, picked by Opasoft on an infected PC. The
most common secondary infectors carried by Opasoft are Funlove,
Spaces.1445, Dupator and Parite.
Detection: Opasoft is inherently detected by the
startup applications monitor of IV Interceptor, no IV update
is required.
Removal: Opasoft only infects shared system drives,
with no or weak password protection!
Therefore, and before anything else, please ensure to
not share the entire system drive, usually C:, with everyone.
If you need to share then please restrict the sharing to
specific directories and resources, but never include the
system in these shares.
A possible cause to weak passwording is the 'share level
password' vulnerabilty, existing in unpatched Windows 95,
98, 98SE and ME.
Check the 'network' applet in Control Panel, under 'access
control'. Change the control to 'user level' (available
only in NT networks), or apply the Microsoft patch to this
vulnerability (required only on Win 95/98/98SE and ME platforms).
For advanced users only: Where file sharing is not
required on the Internet, then remove "file and printer
sharing" from the bindings list, in the protocol used
to connect to the web (TCP/IP -> dial-up adapter, or
the adapter that connects to ADSL). If no file sharing is
required on the local network either, then remove the service
from the bindings list of all protocols.
Click the link for detailed instructions on how to minimize
the file sharing vulnerability
risks.
After having stopped the unnecessary shares, removing the
worm can be done either manually, or automatically, with
InVircible.
To remove manually: start REGEDIT and delete the
key that points to the bogus driver (Scrsvr, Brasil, Alevir,
Marco!) under machine 'run'.
Next, open Win.ini with Notepad, or SysEdit and delete
the line(s) that start with 'run=' and contains one of the
worm's driver names.
Reboot the computer, and delete any of the following: Alevir.*,
ScrSvr.*, Brasil.*, Marco!.* and C:\tmp.ini, if found.
Automatic removal with InVircible:First, download
IVINIT
from this link to the local hard drive.Restart the computer
to MS-DOS (only possible under Win 95/98) and run IVINIT
several times from the command prompt, until you see no
more message about removing an Opasoft Trojan file.
Restart Windows and respond with 'yes' when Interceptor
prompts if to remove the inactive remain of Opasoft's initializations.
©NetZ Computing
Back
