1. Symantec/
  2. Security Response/
  3. W32.Opaserv.Worm


Risk Level 2: Low

September 30, 2002
February 13, 2007 11:40:37 AM
Also Known As:
W32/Opaserv.worm [McAfee], W32/Opaserv-A [Sophos], Win32.Opaserv [CA], WORM_OPASOFT.A [Trend], Worm.Win32.Opasoft [AVP]
Systems Affected:
CVE References:

NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2 as of June 13, 2003.

W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the site may have already been shut down. Indicators of infection include:
  • The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
  • The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host).
  • The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini.

NOTE: If you are on a network, or have a full time connection to the Internet such as DSL or Cable modem, you must disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, these must be disabled. When you have finished the removal procedure, if you decide to reenable file sharing, Symantec suggests that you do not share the root of drive C. Share specific folders instead. These shares must be password-protected with a secure password. Do not use a blank password.

Also, before doing so, if you are using Windows 95/98/Me, you must download and install the Microsoft patch from


If you are on a network, have a full time connection to the Internet such as DSL or Cable modem, or often leave a dial-up connection open for extended periods, we strongly recommend the installation of a firewall for additional protection. For information on Symantec firewall products, go to:


If you are using a Norton AntiVirus consumer product, also read the document How to prevent reinfections of W32.Opaserv.Worm.

Antivirus Protection Dates

  • Initial Rapid Release version September 30, 2002
  • Latest Rapid Release version January 25, 2018 revision 003
  • Initial Daily Certified version September 30, 2002
  • Latest Daily Certified version January 25, 2018 revision 007
  • Initial Weekly Certified release date September 30, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube