W32/Opaserv-A

Read instructions on how to remove the W32/Opaserv-A worm and ensure your system is not vulnerable to reinfection.

W32/Opaserv-A is a worm that spreads via network shares.

When executed the worm will create a file called scrsvr.exe or alevir.exe in the Windows folder on the current drive. W32/Opaserv-A then adds one of the following registry entries to run itself when the system starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr =
C:\WINDOWS\ScrSvr.exe

or

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\alevir =
C:\WINDOWS\alevir.exe

The worm scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a share is found the worm is copied to the Windows folder of that share and modifies the win.ini file so that the worm is executed the next time Windows is started on that computer. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm.

W32/Opaserv-A also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable.

The following three non-viral files may be found in the root folder of infected systems:

tmp.ini
scrsin.dat
scrsout.dat