W32/Opaserv-D

Read instructions on how to remove the W32/Opaserv-D worm and ensure your system is not vulnerable to reinfection.

W32/Opaserv-D is a variant of W32/Opaserv-A and is a worm that spreads via network shares.

When executed the worm will create a file called scrsvr.exe in the Windows folder on the current drive. W32/Opaserv-D then adds the following registry entry to run itself when the system starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ScrSvr = C:\WINDOWS\ScrSvr.exe

The worm attempts to copy itself to the Windows folder on networked computers with open shared drives. It then modifies the win.ini file on the remote machine to ensure the copied file will be run on system start. The worm also searches local IP addresses for open C: shares and attempts to copy itself to the Windows folder of the share. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm.

W32/Opaserv-D also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable.

The following three non-viral files may be found in the root folder of infected systems:

tmp.ini
scrsin.dat
scrsout.dat