W32/Opaserv-K

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Read instructions on how to remove the W32/Opaserv-K worm and ensure your system is not vulnerable to reinfection.

More Information

Summary
Action
More Information

W32/Opaserv-K is a member of the W32/Opaserv family. When run W32/Opaserv-K copies itself into the Windows folder as svr32.exe and sets the following registry entry to run itself automatically when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\mqbkup=C:\Windows\mqbkup.exe

W32/Opaserv-K spreads over the internet using Windows network shares. The worm copies itself over to the Windows folder of the remote computer as mqbkup.exe and sets the following entry in the [Windows] section of win.ini:

run=C:\Windows\mqbkup.exe

This entry will start the worm on the remote computer when Windows starts up.

W32/Opaserv-K may drop and run the files C:\mslicenf.com and C:\bootsect.dos, detected by Sophos Anti-Virus as Qzap-248 and Troj/Qzap-249 respectively. Please see the descriptions of Qzap-248 and Troj/Qzap-249 for information on the effects of running these programs.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Opaserv-K

Summary

Action

More Information