Opaserve:Worm

[Grandad]

Can anyone tell me the method of getting rid of "Opaserve:Worm" from my
computer. Have read about it before but can't remember the details.
Running Windows XP home edtn.
Just installed Spybot and this detected it, although I run both AVG7 and
Adaware every day and neither of these programmes have found it.
Haven't got used to Spybot yet but there doesn't seem to be a removal tool.
Any help appreciated.
Jim.

 

[Geese_Hunter]

Can anyone tell me the method of getting rid of "Opaserve:Worm" from my
computer. Have read about it before but can't remember the details.
Running Windows XP home edtn.
Just installed Spybot and this detected it, although I run both AVG7 and
Adaware every day and neither of these programmes have found it.
Haven't got used to Spybot yet but there doesn't seem to be a removal tool.
Any help appreciated.
Jim.

I'd go to www.pspl.com & get the removal tool for it. Also since it can
come in via network shares I'd go to http://www.grc.com/default.htm run
the port scan test & close down the open vulnerable ports that are open.
It also could be in your restore folder, & you'd have to un check the
system restore & lose all your restore points & then turn it back on.

 

[Grandad]

I'd go to www.pspl.com & get the removal tool for it. Also since it can
come in via network shares I'd go to http://www.grc.com/default.htm run
the port scan test & close down the open vulnerable ports that are open.
It also could be in your restore folder, & you'd have to un check the
system restore & lose all your restore points & then turn it back on.

Thanks for that info Geese Hunter. Will try it tomorrow. Going to watch
football now on channel 5.
Thanks again.
Jim.

 

[Geese_Hunter]

Thanks for that info Geese Hunter. Will try it tomorrow. Going to watch
football now on channel 5.
Thanks again.
Jim.

Football ??? not on my channel 5. Hmm must be my reception

 

[Grandad]

Thanks for that info Geese Hunter. Will try it tomorrow. Going to watch
football now on channel 5.
Thanks again.
Jim.

Football ??? not on my channel 5. Hmm must be my reception
PSV v Newcastle. 1-1 half time.
Jim.

 

[Grandad]

The removal tool from pspl appeared to do a good job and informed me the

worm has been removed but each time I do a check, Spybot still finds it and
can't remedy it. Have also tried removing it with System Restore disabled
but no joy.
Must admit I don't properly understand about closing down vulnerable ports.
The old grey matter aint performing like it should. (Age you know)
Jim.

 

[Geese_Hunter]

worm has been removed but each time I do a check, Spybot still finds it and
can't remedy it. Have also tried removing it with System Restore disabled
but no joy.
Must admit I don't properly understand about closing down vulnerable ports..
The old grey matter aint performing like it should. (Age you know)
Jim.

Well 1st you'll have to tell me who won the game.
What Op system are you running? If higher than win 98se go to the
http://www.grc.com/default.htm page & get: The DCOMbobulator, Shoot The
Messenger & UnPlug n' Pray. install them, very easy to install & real
small programs. & then run ShieldsUP!

In Spybot s&d when it says it found part of Opaserv, what's the exact
message. The next step is that you could get the Hijack This program,
don't put it on your desktop or in a temporary directory, scan it, save
log & e-mail me the log to geese_hunter at yahoo dot com If you do put
the subject of Hijack Log otherwise I'll delete the message. & I'll look
over the log file.

 

[Geese_Hunter]

worm has been removed but each time I do a check, Spybot still finds it and
can't remedy it. Have also tried removing it with System Restore disabled
but no joy.
Must admit I don't properly understand about closing down vulnerable ports..
The old grey matter aint performing like it should. (Age you know)
Jim.

OOps, you can get Hijack this from : www.majorgeeks.com

 

[Grandad]

worm has been removed but each time I do a check, Spybot still finds it and
can't remedy it. Have also tried removing it with System Restore disabled
but no joy.
Must admit I don't properly understand about closing down vulnerable ports.
The old grey matter aint performing like it should. (Age you know)
Jim.

OOps, you can get Hijack this from : www.majorgeeks.com
--
Now Go away! Go on - scoot! Shoo!

Full time 1-1

Unable to do any more today as relatives are on their way to visit, but will
try your suggestions tomorrow.
Regards, Jim.

 

[Gabriele Neukam]

On that special day, Geese_Hunter, (Géésé_Hunté[email protected]) said...

I'd go to http://www.grc.com/default.htm run
the port scan test & close down the open vulnerable ports that are open.

And check that the password of your shares is good, and doesn't "consist
of only one letter" as it is the case with several Microsoft Windows
versions. Opasoft exploits that flaw extensively.

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp


Gabriele Neukam

(e-mail address removed)

 

[Grandad]

On that special day, Geese_Hunter, (Géésé_Hunté[email protected]) said...


And check that the password of your shares is good, and doesn't "consist
of only one letter" as it is the case with several Microsoft Windows
versions. Opasoft exploits that flaw extensively.

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp


Gabriele Neukam

(e-mail address removed)

Checked MS security bulletins but there is no patch for XP Home edition
shown. The port scan test etc gives me a perfect bill of health.
Jim.

 

[John Bowen]

Thanks for the tip on Proland's W32/Opaserv Worm curing program. I've been
fighting this worm for a week on an older Windows/98 laptop I planned to
give away. I tried five products including McAfee and Norton and none of
them completely removed the virus and it would come back after two boots.

McAfee claimed it was in the boot sector and it was not. All the products
could detect the virus but only Prolands actually removed it.
Unfortunately, their product didn't tell me where the bad code was and just
gave me two messages about registry errors assocatied with the virus. All
the other products gave me either one message or none. I presume somewhere
in the registry was a pointer to an obscure program that caused my
reinfection and was not detected by scanning every single file on the system
with any of the five programs I tried. I am licensed for McAfee and
up-to-date and I had the Microsoft fixes on my system.

John B jhbowen1 at charter.net

 

[John Bowen]

Whoops, I was too hasty. This time the worm came back after three boots...
I'm not on a network or even dialed in. This is a tough one. JB

 

[Tom R]

Whoops, I was too hasty. This time the worm came back after three boots...
I'm not on a network or even dialed in. This is a tough one. JB

John,

You might want to run a "free" online virus scan,
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Another free online virus scanner I use is
"BitDefender"
http://www.bitdefender.com/scan/license.php

Good Luck,
Tom

 

[FromTheRafters]

McAfee claimed it was in the boot sector and it was not.

How did you determine it was not?

I presume somewhere in the registry was a pointer to an
obscure program that caused my reinfection.

Was this perhaps not merely an infestation of the worm, but
rather the recovery of opaserve.k payload activation? Might
there be remnants of payload scattered about the harddrive?

 

[John Bowen]

I found the source of my problems and fixed it finally. I was connected to a
dial up modem and after about 15 minutes somebody came in on port 137 and
since I was sharing my C drive with the Internet they were reinfecting me
with Opaserve (all variations from A to V). This worm does not come into
your system via an email. It comes because somebody else with the virus is
pinging away with different IP addresses until they find somebody connected
to the Internet and sharing their C drive without a password. I was doing
this because I have 5 PCs and I wanted easy access to files.

I learned my lesson thanks to a description of the fix by Brad Peterson. All
the software tools were doing was removing the virus and then I was being
reinfected again from the Internet. The latest virus Sasser discovered
yesterday does pretty much the same thing. It doesn't require an email
attachment to load into your computer.

I guess I'll have to revisit my attitude about a firewall as being too
complex and unnecessary in a home.

John Bowen

 

[Beauregard T. Shagnasty]

Quoth the raven named John Bowen:

... I was doing this because I have 5 PCs and I wanted easy access
to files.

You sound like a candidate for a router.

I learned my lesson thanks to a description of the fix by Brad
Peterson. All the software tools were doing was removing the virus
and then I was being reinfected again from the Internet. The latest
virus Sasser discovered yesterday does pretty much the same thing.
It doesn't require an email attachment to load into your computer.

There are dozens of viruses/trojans that work like this. Apparently,
you've been really lucky so far.

I guess I'll have to revisit my attitude about a firewall as being
too complex and unnecessary in a home.

Put those five PCs behind a router. Running a software firewall on
each would also be a good idea.

 

[FromTheRafters]

I found the source of my problems and fixed it finally. I was connected to a
dial up modem and after about 15 minutes somebody came in on port 137

Whatever happened to the assertion that "I'm not on a network
or even dialed in." then?

and since I was sharing my C drive with the Internet they were reinfecting me
with Opaserve (all variations from A to V).

Sheesh! (okay - I'll be nice)

This worm does not come into your system via an email.

Right, it is a networking thing. However, if you are not on a
network (or even dialed in) then it wouldn't matter much
that you also are up to date with critical patches and AV
software.

It comes because somebody else

....with an equally ludicrous security scheme...

with the virus

....or network worm

is pinging away with different IP addresses until they find somebody connected
to the Internet and sharing their C drive without a password.

....or an equally insufficient one (guessable or unpatched)

I was doing
this because I have 5 PCs and I wanted easy access to files.

There is no good excuse for this behavior. The problem is that
many users are not (nor do they consider themselves to be)
administrators of their own systems.

I learned my lesson thanks to a description of the fix by Brad Peterson.

Imo, the lesson is far more important than the specific fix. Worms
such as this help to point out the error in the way [too] many people
have their computers configured.

All the software tools were doing was removing the virus

Removal tools are *supposed* to do just that. Keeping your
machine secure is not their job (care to guess whos job it is?)

and then I was being reinfected again from the Internet.

Had it not been for this worm opening your eyes to security matters,
you would have been offering your computer's resources to anyone
willing to grab it.

Not a *good* thing at all.

The latest virus Sasser discovered
yesterday does pretty much the same thing. It doesn't require an email
attachment to load into your computer.

Many worms are not e-mail vector worms. The sheer number
of e-mail vector worms makes the public think that *all* viruses
and worms are related to e-mail. It is simply not the case, as you
have apparently just found out.

I guess I'll have to revisit my attitude about a firewall as being too
complex and unnecessary in a home.

That is another story. Far better would be to use an old PC as
a dedicated firewall (educational as well as functional), or get
a full featured router.

Anyway, glad you got it all sorted out - and learning more about
security is always a plus.

 

[Tim Selander]

I guess I'll have to revisit my attitude about a firewall as being too

That is another story. Far better would be to use an old PC as
a dedicated firewall (educational as well as functional), or get
a full featured router.

I'm new to Windows; have been running a network of 30 some Macs for
10+ years. We've just added 3 XP machines to the network, do not use
them for email, but do use them for the web and ftp. Our office
connection to the net is a SOHO broadband router. Online security
scans show us as secure (no ports open). Now then to the question -- I
have no virus checker, spy checker, etc. software on the three XP
machines. If all the XP machines are behind the router, and they are
not used for email, do I need such software or is the router enough
protection? I see lots of comments like 'get behind a router to be
safe' but set up software firewalls, virus protection, etc., 'just in
case.' I need a simple reply from a knowledgeable person -- will a
router alone be enough? If not, why and what else do I need to do?
Many thanks in advance. Tim Selander, Tokyo, Japan

 

[FromTheRafters]

I'm new to Windows; have been running a network of 30 some Macs for
10+ years. We've just added 3 XP machines to the network, do not use
them for email, but do use them for the web and ftp. Our office
connection to the net is a SOHO broadband router. Online security
scans show us as secure (no ports open). Now then to the question -- I
have no virus checker, spy checker, etc. software on the three XP
machines.

I would suggest getting some.

If all the XP machines are behind the router, and they are
not used for email, do I need such software or is the router enough
protection?

I don't know about your router, but they can be pretty good
protection from the outside. However, some malware comes
in because it is invited in.

I see lots of comments like 'get behind a router to be
safe' but set up software firewalls, virus protection, etc., 'just in
case.' I need a simple reply from a knowledgeable person -- will a
router alone be enough?

Sorry, all I can do is offer the opinion of a simple home user.

No, a router is not enough. But there are routers with additional
functions that can provide *nearly* enough protection. The XP
machines should have additional AV software so that you can
detect known malicious content that was invited in. Some kinds
of malware have web based attacks - the browsing ability of the
XP machines opens that possible vector up.

If not, why and what else do I need to do?

Not being a network guru myself, I suggest that someone with
more knowledge in that area advise you.

If nobody jumps in here, I suggest that you start another thread
with this query.