Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

Opaserv Worm

Information about Opaserv.K Worm:

                     Opaserv.K is a modified variant of Opaserv worm, spreads using shared network drives. Opaserv.M infects only the network shares and it will not spread using e-mail attachments. It contains a destructive payload, when executed it will overwrite all the hard disk sectors.

                     Opaserv modifies the registry entries to start automatically. The registry modification will be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run= Mqbkup or qbkupdbs. In case of remote infection, it modifies WIN.INI to load automatically on the next startup.

                     When executed, it searches for Windows folder in the local system and copies to "Mqbkup.exe". The worm also creates the files C:\Boot.exe and C:\Mslicenf.com. The worm uses C:\AUTOEXEC.BAT to load these files automatically. Mslicenf.com is a destructive file. When executed on the next startup, it destroys the hard disk data by overwriting all the starting sectors with its own copy.

Opaserv.K also displays this message:

Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
For more information, please call us at:
1-888-NOPIRACY
If you are outside the USA, please look up the correct contact information
on our website, at:
www.bsa.org
Business Software Alliance
Promoting a safe & legal online world.

                     This worm is also known as Worm/Opaserv.K, W32.Opaserv.M.Worm, WORM_Opaserv.K.

Information about Opaserv.E Worm:

                     Opaserv.E is a modified variant of Opaserv worm, spreads using shared network drives. Opaserv.E infects only the network shares and it will not spread using e-mail attachments.

                     Opaserv modifies the registry entries to start automatically. The registry modification will be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run= Barsil or BrasilOld. In case of remote infection, it modifies WIN.INI to load automatically on the next startup.

                     When executed, it searches for Windows folder in the local system and network and copies to "Brasil.exe" and "Brasil.pif". It also creates scrin.dat and scrout.dat in the root drive of C. Incase of remote infection, it creates put.ini in the root drive of C.

                     This worm is also known as Worm/Opaserv.E, W32.Opaserv.E.Worm, WORM_Opaserv.E.

Removing Opaserv worm from your computer:

                     Fire has incorporated Opaserv and its variants in signature file to protect Fire users from this worm attack. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit.

                     If you are already infected with this worm, download and install security patches from the link http://www.microsoft.com/technet/security/bulletin/MS00-072.asp Then run Fire anti-virus and choose Delete option to remove the worm components.

                     Opaserv is a network aware worm. If you are connected with network, you have to remove worm from all the machines connected with network at one stretch to avoid re-infection. Also password protect your C drive share or set the C drive share to read only access. Right click on the C drive in the Windows explorer and password protect your network share. Then edit your C:\Windows\win.ini file and remove the line run=c:\Windows\brasil.exe, c:\Windows\Mqbkup.exe...

                     A free download of FireLite [ 1100 KB ] version is also available to detect Opaserv and its variants. Fire anti-virus kit removes Opaserv worm and its variants safely. If you find this worm, use registered version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Jacob Kalis, Prognet Technologies Pvt. Ltd., Oct. 2002]
[Revised: Mr.Ramesh, Prognet Technologies Pvt. Ltd., Dec. 2002]

Go to top of the page
.