W32/Opaserv-J is a member of the W32/Opaserv family. When run W32/Opaserv-J copies itself into the Windows folder as svr32.exe and sets the following registry entry to run itself automatically when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
\Svr32= C:\Windows\svr32.exe
W32/Opaserv-J spreads over the internet using Windows network shares. The worm copies itself to the Windows folder of the remote computer as svr32.exe and sets the following entry in the [Windows] section of win.ini:
run=C:\Windows\svr32.exe
This entry will start the worm on the remote computer when Windows starts up.
W32/Opaserv-J will attempt to remove older variants of the W32/Opaserv worm by removing the following files from the Windows folder:
alevir.exe
scrsvr.exe
brasil.exe
The following registry entries will also be removed:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SCRSVR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ALEVIR
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BRASIL