Symantec.com > Security Response > W32.Opaserv.K.Worm

W32.Opaserv.K.Worm

Risk Level 2: Low

Discovered: December 24, 2002

Updated: February 13, 2007 11:41:59 AM

Also Known As: W32/Opaserv.worm.m [McAfee], W32/Opaserv.worm.n [McAfee], W32/Opaserv-H [Sophos], W32/Opaserv-I [Sophos], W32/Opaserv-L [Panda], Opaserv.F [F-Prot], WORM_OPASERV.M [Trend]

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

CVE References: CVE-2000-0979

W32.Opaserv.K.Worm is a network-aware worm that spreads across open network shares. This worm copies itself to the remote computer as a file named Mqbkup.exe. It is compressed with a PECompact packer.

Before you follow the steps in this document, if you are running Windows 95/98/Me, download and install the Microsoft patch from: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp.

NOTE: Some of W32.Opaserv.K.Worm functionality is specific to the Windows 95/98/Me systems, while some of it is only functional on Windows NT/2000/XP.

If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and the Internet before attempting to remove this worm. If you have shared the files or folders, disable them. When you have finished the removal procedure, if you decide to re-enable file sharing, Symantec suggests that you do not share the root of drive C. Instead, share the specific folders. These shared folders must be password-protected with a secure password. Do not use a blank password.

Recently, a new variant of the W32.Opaserv.K.Worm was discovered. The differences between this new variant and the old one are:

File name is Mmstask.exe, instead of Mqbkup.exe.
Registry key that the new variant adds is Mstask or Mstasksys.
File size is 20,480 bytes.

Other differences between the two variants have not been discovered.
Symantec antivirus products have already detected this new variant as W32.Opaserv.K.Worm.