| | | |
Symantec.com > Security Response > W32.Opaserv.E.Worm

W32.Opaserv.E.Worm

Risk Level 2: Low

Printer Friendly Page

Discovered: October 23, 2002
Updated: February 13, 2007 11:57:48 AM
Also Known As: W32.Opaserv.Worm, WORM_OPASERV.E [Trend], W32/Opaserv-C [Sophos], Win32.Opaserv.E [CA], W32/Opaserv.worm [McAfee]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References: CVE-2000-0979



W32.Opaserv.E.Worm is a variant of W32.Opaserv.Worm. It is a network-aware worm that spreads itself across open network shares. It copies itself to the remote computer as the file Brasil.exe or Brasil.pif.

This worm also attempts to download updates from www.n3t.com.br, although the site may have already been shut down. Indicators of infection include:
  • The existence of the files Brasil.dat and Brasil!.dat, or Put.ini in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
  • The existence of the Put.ini file in the root of drive C. This may indicate a remote infection (that is, the computer was infected by a remote host).
  • The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value Brasil or BrasilOld, which is set to C:\WINDOWS\Brasil.pif or C:\WINDOWS\brasil.exe.

NOTES:
  • When running on Windows 95/98/Me computers, the worm can spread itself to other Windows 95/98/Me/2000/NT/XP computers through open network shares, but the worm can not run on Windows 2000/NT/XP systems.
  • Definitions dated prior to October 24, 2002 may detect this threat as W32.Opaserv.Worm.

NOTE: If you are on a network, or have a full time connection to the Internet such as DSL or Cable modem, you must disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared files or folders, these must be disabled. When you have finished the removal procedure, if you decide to reenable file sharing, Symantec suggests that you do not share the root of drive C. Share specific folders instead. These shares must be password-protected with a secure password. Do not use a blank password.

Also, before doing so, if you are using Windows 95/98/Me, you must download and install the Microsoft patch from

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp





If you are on a network, have a full time connection to the Internet such as DSL or Cable modem, or often leave a dial-up connection open for extended periods, we strongly recommend the installation of a firewall for additional protection. For information on Symantec firewall products, go to:

http://www.symantec.com/product/


Protection

  • Initial Rapid Release version October 24, 2002
  • Latest Rapid Release version October 24, 2002
  • Initial Daily Certified version October 24, 2002
  • Latest Daily Certified version January 15, 2008 revision 017
  • Initial Weekly Certified release date October 28, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Medium

Writeup By: Yana Liu
PRINT THIS PAGE
Search by name
Example: W32.Beagle.AG@mm
Norton Green PC Service
Weblogs
©1995 - 2008 Symantec Corporation
Site Map |
Legal Notices |
Privacy Policy |
|
Contact Us |
Global Sites |
License Agreements