Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Opaserv.A

Aliases: Worm.Win32.Opasoft

Win32/Opaserv is a worm that spreads on the local networks and on the shared disks. It also attempts to spread to random selected IP addresses.
The worm acts in the Windows family operating systems. It is generated by the PE format executable file - its size is 28672 bytes.

It installs itself into the Windows directory as a file ScrSvr.exe. It uses the system registry for its activation. In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run it cretes the entry ScrSvr with the value C:\WINDOWS\ScrSvr.exe.

It spreads through the available shared network disks so that it copies the file ScrSvr.exe to the Windows directory on the target computer, where it also modifies the file win.ini. The modificated win.ini file causes the worm startup on the next windows restart.
The worm contains the code that prevents to the double infection - it checks the presence of the mutex named ScrSvr31415.

The worm also attempts to download and execute the files from the server www.opasoft.com, that is not working anymore.

NOD32 (ver. 1.309 and higher) detects/cleans this worm.

To clean infected computer, the following steps need to be carried out:

  • Click the Control Center icon located on the system taskbar
  • Click "Update now" button (to make sure the latest version of NOD32 database is installed)
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When an infected file is found and an action is offered, click "Delete"
  • Restart system