1. Symantec/
  2. Security Response/
  3. W32.Opaserv.J.Worm

W32.Opaserv.J.Worm

Risk Level 2: Low

Discovered:
December 20, 2002
Updated:
February 13, 2007 11:56:26 AM
Type:
Worm
Systems Affected:
Windows
CVE References:
CVE-2000-0979


The W32.Opaserv.J.Worm is a variant of the W32.Opaserv.Worm. It is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Srv32.exe. It is compressed using ASPack. The W32.Opaserv.J.Worm also has Backdoor capabilities.

Indicators of the infection include the existence of:
  • The files SrvTsk and SrvRes in the root of drive C. This indicates a local infection; that is, the worm was executed on the local computer.
  • The existence of the temp.ini file in the root of drive C. This may indicate a remote infection; that is, the computer was infected by a remote host.
  • The existence of the value

    Srv32        C:\WINDOWS\Srv32.exe
    or 
    Srv32Old     <Path\original worm name>


    in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

NOTE: When the worm runs on Windows 95/98/Me-based computers, the worm can spread to other Windows 95-/98-/Me-/2000-/NT-/XP-based computers through open network shares, but the worm cannot run on Windows 2000/NT/XP.

If you are on a network, or have a full-time connection to the Internet, such as a DSL or cable modem, you must disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password.

Also, before doing so, if you are using Windows 95/98/Me, download and install the Microsoft patch from

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.


Antivirus Protection Dates

  • Initial Rapid Release version December 23, 2002
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version December 23, 2002
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date December 24, 2002
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Yana Liu

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube