high
Summary
Summary
Action- More Information
| Protection available since | 24 December 2003 11:17:48 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Opaserv-S is a worm that spreads on Windows shares exploiting a weakness available on unpatched Win95/98 based systems.
In order to run automatically when Windows starts up the worm copies itself to the file natal!.pif in the Windows folder and adds the following registry entry pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\4wd!!!
The worm also creates the log files natlog, natlog2, natsout.gay and natsin.gay in the Windows folder.
W32/Opaserv-S attempts to access remote websites to register itself and attempts to download and execute files from several sites probably to update itself. The websites used by the worm are not available at the time of writing.
The worm attempts to infect remote computers by scanning local subnets for vulnerable systems, copying itself across to the file C:\Windows\natal!.pif and by replacing the file win.ini on the remote machine with a version that starts the worm automatically when Windows boots up.
The worm temporarily creates the text file C:\lammer!.
|
