In this section

• Home
• Support
• Virus disinfection

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

• 

W32/Opaserv disinfection instructions and FAQ

W32/Opaserv variants are worms that spread over both internal networks and the internet by exploiting open or weakly protected C: drive shares. They mainly affect Windows 95/98/Me computers.

1. How do I get rid of W32/Opaserv?
2. How do I prevent reinfection by W32/Opaserv?

1. How do I get rid of W32/Opaserv?

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

Windows 95/98/Me and Windows NT/2000/XP/2003

The following W32/Opaserv variants can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the Resolve tools below:

Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.

W32/Opaserv-A, W32/Opaserv-B, W32/Opaserv-C, W32/Opaserv-D, W32/Opaserv-E, W32/Opaserv-F, W32/Opaserv-Fam, W32/Opaserv-G, W32/Opaserv-H, W32/Opaserv-I, W32/Opaserv-J, W32/Opaserv-K, W32/Opaserv-L, W32/Opaserv-V.

Windows disinfector

OPASEGUI is a disinfector for standalone Windows computers

• open OPASEGUI
• run it
• then click GO.

If you are disinfecting several computers, download it, save it to floppy disk and run it from there.

Read the notes below on preventing reinfection.

Command line disinfector

OPASESFX.EXE is a self-extracting archive containing OPASECLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

Read the notes below on preventing reinfection.

Other platforms

To remove W32/Opaserv on other platforms please follow the instructions for removing worms.

2. How do I prevent reinfection by W32/Opaserv?

All variants of W32/Opaserv spread over both internal networks and the internet by exploiting open or weakly protected C: drive shares.

Upon infection the virus is written to the WINDOWS folder, and the file WIN.INI is edited to run the virus each time the computer is rebooted. Although Sophos Anti-Virus will prevent this file from being run it will not prevent it from being copied initially. However, when the change to WIN.INI attempts to run the virus when the computer is rebooted, InterCheck will find it and prevent it from running.

To stop this happening, right-click the C: drive in Windows Explorer, select Sharing, then unshare the C: drive. Password protecting your shared C: drive may not be enough to prevent access by W32/Opaserv. Shares created on individual folders other than the Windows folder will not attract infection by W32/Opaserv.

To improve the security of password protected shares install the patch.

If for some reason it is necessary for you to share the C: drive of a Windows 95/98/Me computer attached to the Internet you should consider installing a firewall.