W32/Opaserv-E is a worm that spreads via network shares.
When executed the worm will create a file called scrsvr.exe in the Windows folder on the current drive. W32/Opaserv-E then adds the following registry entry to run itself when Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ScrSvr = C:\Windows\ScrSvr.exe
The worm scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a share is found the worm is copied to the Windows folder of that share and modifies the file win.ini so that the worm is executed the next time Windows is started on that computer. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm.
W32/Opaserv-E also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable.
The following non-viral files may be found in the root folder of infected systems:
tmp.ini
scrsin.dat
scrsout.dat