This is bugging the hell out of me, I've cleaned a PC twice now, gone into the registry totally removed OpaServ and all it's variances through the following;

1. Disconnected computer from the Internet and LAN.

2. Booted to safe mode

3. Ran both of the NOD32 Opaserv cleaners from http://www.nod32.com.au

4. Checked win.ini for any unusual references after run=

5. Check registry and delete the values: ScrSvr %windir%\ScrSvr.exe and ScrSvrOld <original worm name> from the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

6. Manually search for and delete the files .....
scrsvr.*
brasil.*
marco*.*
put.ini
alevir.*

This time around I put on Sygate as the firewall, rescaned with Nod32, it came up all clean.

My Question to the Eset Team: Why is Nod32 allowing reinfection and changes to the registry to occur. Nod32 deletes the inffection upon detection, but still allows the registry to be altered, thus upon reboot heaps of messages appear: missing brasil... missing put.ini...etc, etc.

I have told this person to stop using webmail and use a pop3 account that I have set up.

Your help would be appreciated, I simply do not understand why Nod32 is allowing part of the virus to get past...

Cheers.

Blackspear,

What O/S are we talking about here?

regards.

paul

Hi Paul, in this case Windows 98SE fresh install after first infection of multiple viruses including Opaserv, so in fact today brings this to the 3rd reinfection in 4 days... I'll see how it goes tomorrow with Sygate having closed any and all open ports (I usually use ZoneAlarm, but in this case he wants to Internet Share, which Sygate facilitates).

Cheers.

Blackspear,

Doesn't SE use System Restore? That might be the culprit here.

regards.

paul

Not sure Paul, but I have done a complete search of the registry, found and deleted all files relating to OpaServ, ran 2 removal tools from Nod32 and one from Symantic, everything then came up clean, all 3 times. Rescanned multiple times. Besides, this would not account for reinfection after a clean install of Windows, no system restore available after a format ;D

I just can not see how he is being reinfected and why Nod32 is allowing part of the virus to get past, surely this is the job of Amon to scan and maintain protection of everything outside of the pop3 scanner...

Cheers.

Using win98se myself, no system restore here.
Was the first thing i was thinking of too.
I must remember we're in the NOD32 forums now, as i wanted to suggest to try your other new tools (even the eval versions would do) to see if anything is left and monitoring when or with what it happens.

Hi Blackspear,
These two links might give you an idea of what is going on with a fresh install of Win 98 "out of the box". This first link is on a project to get infected for a copy of Opaserv.



http://forum.gladiator-antivirus.com/index.php?act=ST&f=10&t=676&s=9f1a469a8e79951ca30b32833c4fb92e


This is why people are getting reinfected.


Subject: Opaserv reinfection possible cause

http://miataru.computing.net/security/wwwboard/forum/3034.html

Blackspear,

Did you give Paolo Monti's updated cleaner (http://www.wilderssecurity.com/showthread.php?t=4443) a go?

regards.

paul

Hi Jooske, don't get me wrong here, I do like TDS-3, but with it making my system into a PIG, my confidence in placing it on a Celeron 400 with 256MB Ram is absolutely ZERO, I want to sort out what it's doing to my system before taking it elsewhere ;D

Cheers.

Hi Paul, yes that is one of the 3 cleaners that I used ;D

I have very little hair left after the 3rd infection and they're using my heart to power a nuclear station... ;D

Cheers.

Hi Blackspear,

Could you look at our downloads section (http://www.wilders.org/downloads.htm) and grab a copy of startuplist.
Please post the log the program makes. Maybe that will clarify things.

Regards,

Pieter

I am not going to suggest you use something else ;D

But I will say there is not just ONE type of Opaserv and some standalone tools do have problems getting them "all.

How many versions of Opaserv at this time ???..see this link.


http://forum.gladiator-antivirus.com/index.php?act=ST&f=56&t=690&s=9f1a469a8e79951ca30b32833c4fb92e


You can expect your AV to stop it if you have the OS, AV and firewall setup correctly and if your AV is looking for all the varieties.


But once infected ..it is tough.

No worries Pieter, will give it a go, I placed RegCleaner on the system and made sure only things that I know of were in the registry, it also now shows all exisitng files as "Old", so anything new will stand out...

It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection).

Cheers.

I will leave you all to it then..but if you go to the links I posted it will explain...as you say


"It still does not answer why after a format and fresh install of windows why Nod32 let it back in again (though no firewall was present until today - 3rd infection)."

Hi Primrose, I followed the link, it does not explain anything other than showing there are a few variences ???

I'm one that is happy to continually look, listen and learn ;D

Cheers.

More that just a few..is the problem and you will see more coming.

But you should not just rely on the AV in any case with what you know you can and should do to lockdown the OS so that it is not susecptable to Opaserv in the first place and that is why I also posted this link...

Subject: Opaserv reinfection possible cause

http://miataru.computing.net/security/wwwboard/forum/3034.html


And since Opaserv can play havoc with Win 98 start working on that OS so it can not set up shares and do its thing...that is most important.

Ahhhh that links much better ;D

Thanks Primrose, I'm trying to get the system as tight as possible, however I'm dealing with dumb and dumber, these people have owned computers for years and they still do NOT know how to copy and paste, what can I say. If I lock it up too tight they won't be able to use it and my phone will run hotter than it already is :(

Cheers.

Hi all,

we experienced that in some cases, when the end user cannot use other means, it could be useful using a quick & dirty trick to avoid Opaserv infections: create "dummy" files with the same name of the files used by Opaserv and then protect them with file attributes.
Here you are a little tool to "immunize" the system against Opaserv

http://www.nod32.it/tools/DFC.ZIP

The program name is "Dummy File Creator" (DFC), and it has the purpose to create a list of files which hinder Opaserv replication through open shares. The configuration file (DFC.INI - a standard INI file) is already set to contain the right list of the files. Anyway, this program is easily customizable to handle whatever list of file names. DFC supports a switch on command line:

/s

if DFC has launched with that parameter on command line, it will work in "silent mode", i.e. it will create the files and then will quit without showing any window to the end user.

Enjoy ;)

ciao,
Paolo.

-{ Quote: " quoting: Blackspear link=board=35;threadid=5515;start=15#36165 date=1040037802]
Ahhhh that links much better ;D

Thanks Primrose, I'm trying to get the system as tight as possible, however I'm dealing with dumb and dumber, these people have owned computers for years and they still do NOT know how to copy and paste, what can I say. If I lock it up too tight they won't be able to use it and my phone will run hotter than it already is :(

Cheers.
" }-


I figured that it was not your system...that is a hard call..do too much and they will think you broke the box :o
We share in your fustration on that one.

Good Luck and happy holidays,

John

Paolo Monti to the rescue ONCE again. WTG ;) I knew we could count on you for solutions as always. That will be a nice Holiday Present for many.

Thank You,
John

1) Make sure that Amon is loaded.

2) Make sure that Amon is set to scan on open+create+execute ("Targets" tab).

3) Make sure that nothing is excluded from Amon ("Exclude" tab).

4) Make sure that "Signatures" and "Heuristics" are set ("Methods" tab).

5) Disable sharing of C:\. (type "net share" in a DOS-prompt to see the shares)

6) Visit www.windowsupdate.com (http://www.windowsupdate.com) and download all available security updates.

Best regards,
Anders
EuroSecure

Thanks Paolo. Anders, I have done all of that, I set up Nod32 exactly as you have said on each install.

I now have a greater understanding of how this virus works:

One possible reason why this virus keeps reappearing is due to a protocol built into windows called Router Solicitation. This means that when your ports are open your system sends out its IP address to a mulicast server (log IP 224.0.0.2). This would have been set up by a previous infection. This has the effect of broadcasting your IP to whoever wants to listen (similar to announcing it on a radio - MS knowledge base Q223756).

The virus is then sent back to your system under the various names and you become reinfected, unless your virus scanner picks it up. The cure is to download a file called tweakup (free) from www.homestead.com/tweakup/tweakup.html and run a program called disable IRDP. This amends your registry to turn the transmission off.

This was posted on: http://miataru.computing.net/security/wwwboard/forum/3034.html

Together with Paolo's advice and a Firewall, I hope this mongrel will not reappear >:(

I still would like to know from the Eset Team why Amon is allowing reinfection, as in, how it allows changes in the registry, surely it should stop this?

Cheers.

Hey Blackspear,

a virus doesn't write to the registers until it is executed - Amon protects it from being executed - if set up properly - it's possible that user had the settings not correct.

rgds, :)

jan

I'm quite certain that if you still receive infected files, you probably still have your drives shared.

Other possibilities are:
You have an unknown dropper for the Opaserv worm installed. (not likely)
You have a backdoor installed, and someone is dropping Opaserv to your computer. (not likely)

If you have a NT-based system, do the following:
Start -> Run
enter: %comspec% /c net share > c:\share.txt && notepad c:\share.txt
(that SHOULD work ;)
Copy and paste the output to this forum.

If you have Windows 95/98/ME, I can't think of a quick way to show local shares... hmm.. yeah, the registry..
Start -> Run
enter (one line): regedit /e c:\share.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan
Start -> Run
enter: notepad c:\share.txt
Copy and paste the output to this forum.

Best regards,
Anders
EuroSecure

-{ Quote: " quoting: anders link=board=35;threadid=5515;start=15#36184 date=1040049197]
You have an unknown dropper for the Opaserv worm installed. (not likely)
" }-

Yep, right. Here (I mean, in Italy) we had ITW a dropper of Opaserv, now detected by NOD32.

-{ Quote: "
If you have Windows 95/98/ME, I can't think of a quick way to show local shares...
" }-

NET VIEW \\%ComputerName% should work as well.

ciao,
Paolo.

-{ Quote: " quoting: Paolo Monti link=board=35;threadid=5515;start=15#36199 date=1040053300]
NET VIEW \\%ComputerName% should work as well.
" }-

Of course!

I'm forgetting non-NT more and more. :P

Regards,
Anders

-{ Quote: " "a virus doesn't write to the registers until it is executed - Amon protects it from being executed - if set up properly - it's possible that user had the settings not correct." " }-

If this is the case, and I know for sure that the system was set up correctly (I did it myself ;D ), and OpaServ was fully removed, how was the registry altered again? Why did Amon allow this?

We are now more than 24hrs later and the system is still clean.

Thank you all for your help, Opaserv is a persistant mongrel >:( at least now I know how to strangle it ;D

Cheers.

Hey Blackspear,
-{ Quote: "We are now more than 24hrs later and the system is still clean." }-

I'm glad it's OK now. :D
-{ Quote: "...3. Ran both of the NOD32 Opaserv cleaners from http://www.nod32.com.au...

...5. Check registry and delete the values: ScrSvr %windir%\ScrSvr.exe and ScrSvrOld <original worm name> from the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

6. Manually search for and delete the files .....
scrsvr.*
brasil.*
marco*.*
put.ini
alevir.*

... upon reboot heaps of messages appear: missing brasil... missing put.ini...etc, etc.
" }-

We recommend to use our cleaners without manual intervention.

Anyway, it's over now - good to have the machine clean :)

Best wishes,

jan

More than 2 days clean now, client is very happy, and so am I ;D

Thanks for your help everybody ;D

Cheers.

I still have one nagging and nawing question, that nobody has yet answered:

-{ Quote: " a virus doesn't write to the registers until it is executed - Amon protects it from being executed - if set up properly - it's possible that user had the settings not correct. " }-

The system in question - Win98SE, it is the only machine with internet access (other 2 machines are CLEAN install with XP-Pro and Nod32 - All set up by me - Deep Heuristics, Scan all files, Scan Extensionless files, Clean and if uncleanable - delete etc etc, and BOTH these PC's are CLEAN of viruses and have NEVER been infected). C Drive on 98 PC is shared - yes I know about this.

Client's only ever use internet to get "Web-mail", mail ONLY ever comes from 1, yes 1 business - massive video chain - their emails and PC's are clean, or more than 400 stores across Australia would also be infected (and I'd love that job of cleaning off viruses) ;D

The client did not open or click on anything, they don't know how to execute a file, and weren't game enough to try anything after the 1st infection, to scared to touch ;D

How did the registry change after a FRESH install of windows, as in there was reinfection from Opaserv (all the usual files - brasil etc) which were found in the registry after reconnection to the internet?

As I understand it, Amon checks the background. If Amon is checking the background, how did the 2nd and 3rd reinfections get past Amon into the registry?

This just bugs me, clean install, Nod and Amon setup properly, reinfection - How?

Cheers.

Hey Blackspear,

the discussion is getting pretty long here ;)
-{ Quote: " C Drive on 98 PC is shared - yes I know about this.
" }-

The disk shoudln't be shared for writing (the user should disable it) - especially the system directory (that's a BIG security hole). If there is a need for write sharing - select a specific directory that is not dangerous.

-{ Quote: "How did the registry change after a FRESH install of windows, as in there was reinfection from Opaserv (all the usual files - brasil etc) which were found in the registry after reconnection to the internet?
" }-

One of the possiblities is that maybe athat user was checking a webpage and maybe there was a quick alert from Amon that a dangerous file has been created on the disk and he just clicked it OK - it happens sometimes when too many windows are opened.

There are many possibilities - if we should write it more exactly we'd need to see that process on site.

rgds, :)

jan

Thanks Jan, sure this is getting pretty long, but nobody addressed my why (how) question... and now you have and it has given me an understanding of how it could happen. With these guys there is a very GREAT chance that they clicked OK, infact that is most likely ;D

I'm now going to have to tell all my clients to read very carefully what Amon is alerting them to, and at all times delete. When I 1st purchased Nod32 and started selling it, I thought having set Nod up to automatically clean and if uncleanable delete, this would have been the case. It is not. This would be a great feature for the general public - especially my dumb and dumber ;D being, it gives them no option to screw up ;D that it just deals with viruses according to preset settings and advises them of such upon removal ;D

Thanks for your answer...

Cheers.

OK, we'll think about it

All the best :)

jan

Well, this is my first time posting to this board. We had the same problem, but this little trick may help, using it aditional to all the tools and removal programs. Do a search not with file name, use "containing text" using brasil, marco, and all the names. You will be surprised how many files you find...

Hermann

http://www.pandasoftware.com/com/us/

I've tried 5 or 6 different virus programs and several virus removal tools and they all allowed reinfection after indicating opaserv had been cleaned.

I don't think any virus program out there will find and remove the code that kicks off opaserv.

I suggest you go to the above link and in the Virus Encyclopedia click on one of the variants of opaserv.

Eventually you'll get to a page where you can download a file named PQRemove.com.

It's a virus removal tool that does something a little differently than all the others.

It will, initially, clean the registry and the win.ini file and delete any of the standard opaserv files. It then creates folders of the same names,eg, C:\windows\scrsvr.exe, so the folder path looks exactly the same as the executable opaserv files.

Wherever the virus code resides it can't write the executable to disk because there will be a folder with the same name and an executable can't overwirte a folder with the same name.

I'm NOT happy, I'm getting to the point that I do NOT believe Nod32 can actually protect against Opaserv.

I have had 2 more clients today that did NOT and have NEVER had Opaserv infect their systems, on my recommendation they purchased Nod32 for NEW computers.

One of these customers was going ape-sh*t in my shop this afternoon about his systems being infected... I kept putting it back to him NOT having a firewall and this is how he became infected, what else could I say... It's a mongrel worm that nobody seems to have any answers for...

It makes it hard to sell Nod at this point, when this same client is used to hearing only the big 2 AV's, and he is wondering why he purchased a little AV that he and his friends etc have never heard of, and now he is infected...

I personally set up Nod on their computers, both did not have firewalls, one (by sheer bad luck – or stupidity – if I can say that with hindsight) did not put his firewall back on to protect his computer on a ADSL connection, the other is on dialup and did not see the point.

BOTH are now infected with Opaserv.

Amon did NOT protect their computers.

This is getting to be ridicules, Amon is NOT doing its job! I can’t see how anyone can say it is…

I see in my ZoneAlarm logs that port 137 is being targeted, when I ask other firewall protected users the same question, I get the same response, massive hits on port 137, approximately 80%

Do I now need to sell a firewall when I sell Nod to stop any potential infections of Opaserv????

If this is the case it is going to be a massive pain in the backside to teach the average user what a firewall is and how to use it… No it’s not stopping your internet connection, you just haven’t given it permission to access the internet. No it’s not stopping your Emails, you just haven’t given it permission to access the internet… But I gave it permission, but you didn’t tell it to remember this answer… This firewall is too much hassle, No, it really isn’t, you just need to read what it is trying to tell you and let it protect your system…

I am at a loss as to what to do for the average home user and for the average small business. I am trying to defend this product (Nod32) but am loosing the battle very quickly…

I am becoming VERY disillusioned…

Can someone from Eset please tell me:
WHY if Amon is supposedly protecting EVERY file, by continuous scanning in the background, does it allow alteration of system files???

Why can't you guys at Eset as the worlds leader and very best Anti-virus manufacturer write something into an update that stops this mongrel in its tracks, FULL STOP! You guys know how this mongrel operates, surely you have the ability to circumvent this pig and stop it from giving us as end users absolute heartache.

At the moment you are offering a patchup job AFTER an infection, I need to offer a solution PRIOR to infection to my customers, as far as I'm concerned with my experiences in the field, at the moment they are NOT protected with Nod32...

You guys are way superior beings to the mongrel who wrote this ;D The sun shines from your office in Esetland, I'm sure that's were it starts its rise across the planet. I love your work... I'm just one frustrated, angry, p*ssed off reseller... I'm getting heat from end-users that are getting infected... and I can NOT offer a solution prior to infection (it used to be "Install Nod", this is no longer an appropriate course of action - it is NOT a complete solution).

I not only need answers, I need urgent solutions BEFORE this becomes a major headache for me...

Cheers.

Am I correct in my train of thought and understanding:

1) Opaserv is targeting port 137.

2) It is coming in from the web through port 137 if a firewall is not present.

3) Amon is NOT protecting a system with infection from the Web (otherwise system files would NOT be altered).

4) Due to how it comes in, EVERY user should now have a firewall BEFORE they become infected (being on dialup connection is no longer an excuse for NOT having a firewall).

5) The ONLY way for a NEW system that has NEVER been on the internet to be protected from Opaserv is to have a firewall and Nod32, BEFORE they connect for the 1st time to the internet.

If this is the case, I'll send out a mass email to my clients and advise them to immediately install a firewall, even if they are on dialup, as they are prone to infection...

Cheers.

Hi Blackspear,

I'm also not happy that the customer got infected. One of the possibilities is - as I already wrote in this thread - that the C disk was shared:

>The disk shoudln't be shared for writing (the user should disable it) - especially the system directory (that's a BIG security hole). If there is a need for write sharing - select a specific directory that is not dangerous, use more letter/number password for sharing and update the system for the latest patches.

We need to educate the users about this. We'll also do it.

rgds,

jan

-{ Quote: " quoting: jan link=board=35;threadid=5515;start=30#43778 date=1043246856]

>The disk shoudln't be shared for writing (the user should disable it) - especially the system directory (that's a BIG security hole). If there is a need for write sharing - select a specific directory that is not dangerous, use more letter/number password for sharing and update the system for the latest patches.

" }-
I reiterate what Jan said about the latest patches. If a user on Win9xME doesn't have the Share Level Password patch ( http://support.microsoft.com/default.aspx?scid=kb;en-us;273991 ) It doesn't matter about how good a password is. But, if they don't need it, I would completely disable the file sharing from within the network neighborhood.

- Fixed MS link