Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback



© 1995-2004 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy

 security response

W32.Opaserv.Worm Removal Tool

Discovered on: September 30, 2002
Last Updated on: May 10, 2004 01:31:19 PM PDT

IMPORTANT. READ THIS FIRST:

  • This worm uses a security vulnerability in Microsoft Windows 95/98/Me. It sends single character passwords to the network shares to get access to Windows 95/98/Me file shares, without knowing the entire password assigned to the shares. The affected systems include Windows 95, 98, and Me.

    A patch for computers running these operating systems can be found at http://www.microsoft.com/technet/security/bulletin/MS00-072.asp. If you have not already done so, obtain and install the patch to prevent future infections.
  • If you are on a network, or have a full-time connection to the Internet, such as DSL or Cable modem, disconnect the computer from the network and the Internet. Disable sharing before reconnecting computers to the network, or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not re-infect the computer after it has been removed, remove all the shares, clean all the computers on the network, patch all the systems, and update the definitions on all the computers before you reconnect to the network or re-enable shares.

    IMPORTANT: Do not skip this step. Disconnect from the network before attempting to remove this worm.
  • For additional information on file sharing, read your Windows documentation or the document, "How to configure shared Windows folders for maximum network protection."
  • When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Share specific folders instead. These shares must be password-protected with a secure password. Do not use a blank password.

    Also, before doing so, if you are using Windows 95/98/Me, download and install the Microsoft patch fromhttp://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

What the tool does

The W32.Opaserv.Worm Removal Tool does the following:
  1. Terminates all currently known viral W32.Opaserv.Worm processes for variants of W32.Opaserv.Worm, up to and including the W32.Opaserv.K.Worm.
  2. Deletes any W32.Opaserv.Worm executable files.
  3. Removes the viral registry entries.
  4. Restores the Win.ini file.
  5. Displays a message prompting you to make sure that the Microsoft patch is installed before continuing. The patch must be downloaded fromhttp://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

Command-line switches available with this tool


Switch
Description

/HELP, /H, /?
Displays the help message.

/NOFIXREG
Disables registry repair (we do not recommend using this switch).

/SILENT, /S
Enables silent mode. This will also prevent the Microsoft patch message from appearing.

/LOG=<path name>
Creates a log file where <path name> is the location in which to store the tool's output. By default, this switch creates the log file, FixOpsrv.log, in the same folder from which the removal tool was executed.

/MAPPED
Scans mapped network drives (we do not recommend using this switch).

/START
Forces the tool to immediately start scanning.

/EXCLUDE=<path>
Excludes the specified <path> from scanning (we do not recommend using this switch).

NOTE: The use of the /MAPPED switch does not ensure the complete removal of the virus on the remote computer because:
  • The scanning of the mapped drives scans only the mapped folders. This process might not include all the folders on the remote computer, and this can lead to missed detections.
  • If a viral file is detected on the mapped drive, the removal will fail if a program on the remote computer is using this file.

For these reasons, you should run the tool on every computer.

Obtaining and running the tool

NOTE: You must have administrative rights to run this tool on Windows NT4/2000/XP.
  1. Download the FixOpsrv.exe file from: http://securityresponse.symantec.com/avcenter/FixOpsrv.exe.
  2. Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media known to be uninfected, if possible).
  3. To check the authenticity of the digital signature, refer to the section, "Digital signature."
  4. Close all the programs before you run the tool.
  5. If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
  6. If you are running Windows Me or XP, disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for details.

    NOTE: If you are running Windows Me/XP, we recommend that you do not skip this step.
  7. Double-click the FixOpsrv.exe file to start the removal tool.
  8. Click Start to begin the process, and then allow the tool to run.
  9. Restart the computer.
  10. Run the removal tool again to ensure that the system is clean.
  11. If you are running Windows Me or XP, then re-enable System Restore.
  12. Run LiveUpdate to make sure that you are using the most current virus definitions.

    NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed, because Windows prevents System Restore from being modified by outside programs. So, the removal tool might fail.

When the tool has finished running, you will see a message indicating whether the W32.Opaserv.Worm infected the computer. In the case of a removal of the worm, the program displays the following results:
    • The total number of the scanned files
    • The number of deleted files
    • The number of terminated viral processes
    • The number of deleted viral registry entries

Digital signature

FixOpsrv.exe is digitally signed. Symantec recommends that you use only copies of FixOpsrv.exe that were downloaded directly from the Symantec Security Response Web site. To check the authenticity of the digital signature, follow these steps:
  1. Go to http://www.wmsoftware.com/free.htm.
  2. Download and save the Chktrust.exe file to the same folder in which you saved FixOpsrv.exe (for example, C:\Downloads).
  3. Depending on your operating system, do one of the following:
    • Click Start, point to Programs, and then click MS-DOS Prompt.
    • Click Start, point to Programs, click Accessories, and then click Command Prompt.
    • Change to the directory in which FixOpsrv.exe and Chktrust.exe are stored, and then type:

      chktrust -i FixOpsrv.exe

      For example, if you saved the file to the C:\Downloads folder, you would enter the following commands, pressing Enter after you type each command:

      cd\
      cd downloads
      chktrust -i FixOpsrv.exe

      If the digital signature is valid, you will see the following:

      Do you want to install and run "W32.Opaserv.Worm Removal Tool" signed on 12/27/2002 12:42 PM and distributed by Symantec Corporation?

      NOTES:
      • The date and time that appear in this dialog box will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
      • If you are using Daylight Saving Time, the time that appears will be exactly one hour earlier.
      • If this dialog box does not appear, two possible reasons exist:
        • The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
        • The tool is from Symantec and is legitimate; however, your operating system was previously instructed to always trust content from Symantec. For information on this and how to view the confirmation dialog again, read the document, "How to restore the Publisher Authenticity confirmation dialog box."
  4. Click Yes to close the dialog box.
  5. Type exit, then press Enter. This will close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, System Restore may back up the virus, worm, or Trojan. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is a possibility that you could accidentally restore an infected file, or that online scanners could detect the threat in that particular location. For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
For more information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article, "Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

How to run the tool from a floppy disk
  1. Insert the floppy disk that contains the FixOpsrv.exe file in the floppy disk drive.
  2. Click Start, and then click Run.
  3. Type the following, and then click OK:

    a:\fixopsrv.exe

    NOTES:
    • There are no spaces in the command a:\fixopsrv.exe.
    • If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled, or exit the removal tool.
  4. Click Start to begin the process, and then allow the tool to run.
  5. If you are running Windows Me, and then re-enable System Restore.

NOTE: There have been several reports of infections by this worm, in which the worm itself was infected with a virus that also spread to the infected computer. For this reason, we suggest that, after you have finished removing the W32.Opaserv.Worm, run a full system scan. If any files are detected as infected with a different threat, go to http://securityresponse.symantec.com/avcenter/vinfodb.html, enter the name of the detection in the field, and then click Search. Open the document, if one is found, follow any removal instructions.


Additional Information
  • If you are on a network, have a full-time connection to the Internet, such as a DSL or Cable modem, or often leave a dial-up connection open for extended periods of time, we recommend that you install a firewall for additional protection. For information on Symantec firewall products, go to: http://www.symantec.com/product/.
  • If you are using a Norton AntiVirus consumer product, read the document, "How to prevent reinfections of W32.Opaserv.Worm."
  • If you have successfully run the tool, though, when you run a full system scan, it detects but cannot delete the W32.Opaserv.Worm in either the C:Windows\Sysbckup folder or the Norton-Protected Recycle Bin, follow these instructions:
    • Sysbckup folder: If a scan detects W32.Opaserv.Worm in the C:\Windows\Sysbckup\<File name>.cab folder (in which <File name> is formatted as Rb### or Prb###):
      1. When the scan detects the file, write the file name.
      2. Restart the computer in Safe mode.Using Windows Explorer, locate the C:\Windows\Sysbckup folder, select the detected file, and delete it.
    • Norton-Protected Recycle Bin. Empty the Norton-Protected Recycle Bin.

Revision History:

  • December 27, 2002: Version 1.0.4 supports all currently known variants of W32.Opaserv.Worm, up to and including W32.Opaserv.K.Worm.
  • November 19, 2002: Version 1.0.3 supports all currently known variants of W32.Opaserv.Worm, up to and including W32.Opaserv.H.Worm.
  • October 24, 2002: Version 1.0.2 supports all known variants of W32.Opaserv.Worm and W32.Opaserv.E.Worm.



Write-up by: Douglas Knowles