| VID |
24053 |
| Severity |
40 |
| Port |
139 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The Opaserv Worm is detected. This network worm uses the Share Level Password vulnerability on Windows systems to propagate via network shared C:\ drives. The vulnerability allows a remote user to access a Windows 9x/Me shared file without knowing the entire password assigned to that share.
This worm attempts to replicate across open network shares, and copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the download site is not accessible and is either blocked or currently down. Indicators of infection include:
- The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
- The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host).
- The existence of the ScrSvr.exe file in the Windows or WinNT folder of drive C
- The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini.
Depending on the antivirus vendor, it is known as: W32/Opaserv.worm [McAfee], W32/Opaserv-A [Sophos], Win32.Opaserv [CA], WORM_OPASOFT.A [Trend], Worm.Win32.Opasoft [AVP], and so on.
* Platforms Affected:
Microsoft Windows Any version
* References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A |
| Recommendation |
1. Remove it from the infected computer by using a Anti-Virus programs or free disinfection tools. Free Opa Worm disinfection tool is available from:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html
2. If you have not already applied the patch for the Share Level Password vulnerability, you must obtain and install the patch to prevent future infections. The patch can be found at http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.
3. Close the Windows shares of the infected computer, or suggest sharing with read-only access or using password protection. |
| Related URL |
CVE-2000-0979 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
