1. Symantec/
  2. Security Response/
  3. W32.Opaserv.AD.Worm


Risk Level 2: Low

September 17, 2003
February 13, 2007 12:08:35 PM
Also Known As:
W32/Opaserv.worm.ac [McAfee], Worm.Win32.Opasoft.p [KAV], Win32/Opaserv.AA.worm [GeCAD]
Systems Affected:

W32.Opaserv.AD.Worm is a variant of W32.Opaserv.Worm. It is a network-aware worm that spreads across open network shares. It copies itself to the remote computer as the file Speedy.bat.

The worm is compressed using UPX.

This worm attempts to download updates from www.gwmnet.com.br, although the site may have already been shut down. Indicators of infection include:
  • The existence of the files Merda!.aaa, Podre!!, Banda!, or SpeedM2.shi in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
  • The existence of the file lentao! in the root of drive C. This may indicate a remote infection (that is, a remote host infected the computer).
  • The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run contains the string value Spees2 or SpeedBoss, which is set to %Windir%\Speedy.bat.

  • When the worm runs on Windows 95/98/Me-based computers, the worm can spread to other Windows 95/98/Me/2000/NT/XP-based computers through open network shares, but the worm cannot run on Windows 2000/NT/XP.
  • If you are on a network, or have a full-time connection to the Internet, such as DSL or Cable modem, disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Share specific folders instead. These shares must be password-protected with a secure password. Do not use a blank password.

    Also, before doing so, if you are using Windows 95/98/Me, download and install the Microsoft patch from:


Antivirus Protection Dates

  • Initial Rapid Release version September 18, 2003
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version September 18, 2003
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date September 18, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube