Opaserv worm? On my computer?!

**usil** · February 3rd, 2004, 01:41 PM

Thats weird. Spybot detected the opaserv worm on my computer. Adaware and NAV did not find anything. When I went to C:\windows there was no file called scrsvr.exe. I read that it installs that file, then removes it. So that could be an explanation. Weird thing is, this worm is only supposed to affect Win9x and I have XP. So whats going on? A false positive?

**fink** · February 3rd, 2004, 02:05 PM

Two things... It, according to this page at symantec http://securityresponse.symantec.com...serv.worm.html can infect xp and 98... and if it was quarantined by spybot then it would no longer show up as being in the windows directory. Try looking in the spybot quarantine file for it or do a system file search for scrsvr.

If you still don't find anything then maybe it was a false positive.

Also, look in your win.ini fle..... from symantec..

The worm is apparently coded to add this line to the Win.ini:

run= c:\tmp.ini

However, in actual infections or detections, the worm is adding the line run= c:\ScrSvr.exe.

**usil** · February 3rd, 2004, 02:25 PM

Two things:
1. Where is spybots quarantine located?
2. I haven't quarantined it yet because I wanted to see if adaware and norton would pick it up.

BTW, it does not appear in the win.ini.

**fink** · February 3rd, 2004, 02:44 PM

It's quarantine folder is called "recovery" and is within it's own program folder.. it probably isn't created until something is actually placed there.

try an online scan at http://www.ravantivirus.com/scan/

If it still isn't corroborated let spybot quarantine it so you can examine the alleged virus file (& find out what it's called if not scrsvr, as well) and decide if it's a false positive. You can always return it later if it is.

**usil** · February 3rd, 2004, 02:47 PM

Spybot says that it can only do it in after a restart because its in use or in a process or something like that. I checked my processes and there is nothing weird there. I also did a Symantec security scan, and it says that I am vulnerable on port 5000 which UPnP. I am using ZA Pro. How do I close this port?

**usil** · February 3rd, 2004, 03:36 PM

Spybot cannot erase the file even after a restart. I am running an opaserv removal tool. If that doesn't work, I'll do an online scan.

**fink** · February 3rd, 2004, 03:40 PM

If the opaserv removal tool doesn't find the virus and then the online scan doesn't either then there's a pretty good chance it's a false positive... enforced by all the evidence so far.. especially no lines in win.ini.

**usil** · February 4th, 2004, 10:33 AM

Coincidence? I think not! I have the exact same problem on my computer at work. Its seems like it detects it only after doing the last update. Is anyone else experiencing this problem.

Thread: Opaserv worm? On my computer?!

Thread Tools

Search Thread

Display

Opaserv worm? On my computer?!

Thread Information

Users Browsing this Thread

Posting Permissions