mawil, I had the following on an e-mail from CA.

Win32.Opaserv.Worm

Win32.Opaserv is a worm that spreads through shared Windows drives. When run, the worm copies itself to the Windows directory. It then adds the following value to the registry so that this copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr="%Windows%\ScrSvr.exe"

It also creates this registry key value that is set to the file from which worm was originally run:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld="ScrSvr.exe"

This registry key is later deleted.

The files ScrSin.dat and ScrSout.dat are also created in the %Windows% directory.

Win32.Opaserv attempts to copy itself over the network through open share directories to WINDOWS\scrsvr.exe on a remote Windows machine.

The worm also attempts to update itself by downloading a copy off a webserver. The file that is downloaded is named scrupd.exe.

The eTrust InoculateIT signature updates listed below contain detection and system cure for Win32.Opaserv.Worm.

To cure an infected system, all files being detected as Win32.Opaserv.Worm must be deleted. This can either be done manually or by setting eTrust InoculateIT to delete infected files.

If you already saw this just disregard.

Tufenuf