Seems to be a new virus. I just detected it with an RUN=brasil.pif beeing put into win.ini. Who knows more

A google search for brasil.pif did not find anything. Good luck.

This is something to look at.
From the faq. page.

Does SurfinGuard Pro replace traditional anti-virus software?

Summary
SurfinGuard Pro does not replace traditional anti-virus software. SurfinGuard complements anti-virus software by providing a new line of security that can proactively prevent new malicious code attacks on their "first strike".

Full Explanation
Unlike traditional anti-virus technology, SurfinGuard Pro represents a new way to combat hostile active content based on code behavior, not by static signature recognition. Because SurfinGuard Pro does not rely on database updates, it defends against new variants, unknown and "yet-to-be-created" attacks on the "first strike".

SurfinGuard Pro was designed to complement, not replace, anti-virus products. The security coverage provided by SurfinGuard Pro and anti-virus products does not completely overlap, so Finjan recommends that you keep your anti-virus software and install SurfinGuard Pro as an additional layer of defense.

More info and a link.
http://computing.net/security/wwwboard/forum/2581.html

I can't answer your question, I hope this helps.

I just found it too by restarting windows. Somehow win.ini cant find the file, although i did find it in windows. i have deleted it but dont know if it'd work. It looks very similar to the scrsvr.exe w32.worm, so i will use the same method to delete it

All I could get is:

Detected as:

Brasil

Aliases:

None

Area of Infection:

Floppy Boot Sector, Master Boot Record

Characteristics:

Memory Resident, Full Stealthing, Wild

HTH!

hi helmut,
delete the entry brasil.pif from win.ini
run and load should equal nothing. then save and reboot. check your windows directory for the brasil.pif file and delete it, go into your registry and do a search for that file, and wherever found delete the value, check your run services also in your hkey current user, hkey user, and hkey local machine, if found delete the key.
scan your computer with an anti-trojan, and and anti-virus software, with the latest definitions. if this does not work then go into dos and use fprot for dos and scan your machine.
hope this helps, take care,
murve

this is the tail of the famous :scrsvr.exe w32.worm virus

LOOK OUT ,before i deleted the file i scan it with the latest norton antivirusscanner .

result :no virus were found .

if anyone found tails in win.ini or else please send a e-mail to me...

Hi,

I scanned with NAV (latest update) and didn't detected it as virus, but it SURE is! It does an address lookup every minute or so (to www.nt3.com.br). But I found a way to delete it.

First run regedit and search for "brasil.pif" and delete all the lines it find (it will for sure find a line in the run-map). Afterwards restart your computer in DOS-mode and go to c:\windows and delete the file basil.pif. This should do it, it worked for me. Good luck!

I have it too
seems to be part of the worm scrsvr.exe

I had too.
It seems a clone of scrsvr (it works in the same manner) but it's a little harder to prevent.
For scrsvr you can simple create in C:\Windows a scrsvr.exe file (i.e. with VB) who starts with Windows and stay in execution (doing nothing) so that is impossible to overwrite them.
When I discovered Brasil.pif, i modified the above-mentioned scrsvr.exe so that it opens an empty file named Brasil.pif in C:\Windows folder.
The effect is the same (a Brasil.pif is everytime open and therefore not overwritable by external sources...).
If You like, I can send You a copy of my "prevention program" (Please contact Me if You need); obviously, You had to remove, first, the "infection" (i.e. using the instruction reported in "Response Number 5").
Hi
Alx

Hi

Thanks for the info.

I'm note a specialist, but I finded the line in "win.ini" and deleted it, and runned a search file, which finded "brasil.pif" in the Windows dir, with an icon of "MS-DOS" and information "short-cut" for MS-DOS. I just can't erase the file.

What does it mean and suggestion?

CHeers

Alain V.

I tried everything that is in message 5 but it keeps comming back. I've serached the registry at least 15 times. The file keeps comming back and the line run=c:\windows\brasil.pif keeps comming back
WOW!!!

it's almost the same than opasrv... aaaaarrgggg I hate this, but be careful, this is a very dangerous virus (well at least my variant was very dangerous), because I found in the registry under the key run_once the line: command.com delete windows or something like that( I screamed in that moment ),so, I recommend that you people download wintercooler, this program can show you the main registry keys and if there's something strange or a run line in win.ini, well, I deleted the keys in the registry and in win.ini, restarted my pc in safe mode and deleted the brasil.pif (the virus creates another one but is an exe)under the c:\windows directory then I created two blank txt files and renamed them as brasil.pif and brasil.exe both with read-only attribute, I guess that pqremove and other gadgets will not work because this is a backdoor (only a guess) try this out, it really works

Brasil.pif is the same as opaserv.worm
Kindly remove its entry from win.ini file.
This slows down your machine and spreads on network very fast.

However i have not yet found a permanent solution for it.

Good Luck

Bharat Sahay

I met it also.
I'd like to add that I scanned the whole system with VirusScan from McAfee (virus definitions 4.0.4226) and it didn't find it.

Radek

Arg... This Opaserv worm is the most frustrating worm/virus I have come across. I too have found the Brasil.pif file in my win.ini file... right next to the reference to the scrsvr.exe file that keeps coming back. There has to be a permanent solution out there. I keep removing it manually from the registry, the win.ini file, and deleting all files related to it from my Windows directory, but it keeps coming back... and now brasil.pif... grrr.

Trish

Yup.. Here is the fix..

I had Brasil.pif just like I had scrsve.exe.. Norton and the other guys are simply slow on the uptake with Opaserv which is extremely dissapointing.

To permantly fix.. treat like scrsvr.exe.. meaning, ..open notepad and save as brasil.pif and/or scrsvr.exe with 0 bytes, go into properties and mark as 'read only'..

Bingo!!

No more virus's!!!

Trev.

I have it too , i deleted all the files with
the name Brasil and the command in "win.ini". But i can't delete Brasil.pif. Have anybody a solution?

Hi,

you have to close your NetBios (Ports 137 to 139)! If you don't, this worm will come back again and again.

Regards, Markus

If you can't delete it is because is still running! You can close it with "Process Viewer Application", a WIN95 tool to close threads, that still work in win98 & ME. In win XP you can close it on the Ctrl+Alt+Del menú.

Hi everybody,

Markus said that closing Netbios ports 137 and 139 the worm can't come back again, OK!
But how can I close these ports?

This is a variant of OPASERV

Removing this virus is easy.

First run regedit and remove scrsvr.exe and brasil.pif from registry.

Now Boot in DOS mode, remove scrsvr.exe and brasil.pif from windows directory.

open win.ini file in windows directory.
search for scrsvr.exe and brasil.pif
remove the lines containing any of this filename.

Disconnect network cables and restart windows. Now you are free from this worm.

Now, for safety you can create the files scrsvr.exe and brasil.pif using notepad and set the attributes to readonly.

And remember to install a windows security update released. This is very important.

You can write to me if you need any more details. NO FEE !! I love helping people and like to make friends !!

Thank Q

Hi,

Solution (it hepl for me):
Start Windows in safe mode.
Delete brasil.pif
Delete line from win.ini
Restart

If you have LAN - check all computers.

Regards

Nice to know I'm not alone.
I just got mine today.

THIS IS IMPORTANT:

I have most bought with cash most recent store purchase of Norton Anti-Virus 2002 and it couldn't find it.

This virus, like SCRSVR copies your HD to someone else's computer. You can tell you have it cause when you are not doing anything on the internet (like reading Email) it is LIT on the bottom-right-hand corner Internet Write Light.

BRASIL may be embedded in critical parts of windows, to prove it, do a click (Start) Find, Files or Folders:

Named: *.*
Containing: brasil
Look in: c:\windows

SYSTEM.DAT
USER.DAT
SHELLCONCACHE {no extension}

Merely removing it from the top of WIN.INI won't fix it.
It now runs without it.

You may also find an obtrusive file in your root of C:\ called PUT.INI .

To remove it (the best way I know how, this is not a cure or innoculation, it just prevents BRASIL from running), you will need to leave Windows completely, REBOOT, hold down the [CTRL] key and don't let it go till a special menu pops up, you may need to leave the keyboard free for 5 seconds when you reboot as it could think you want to change the BIOS.
select the last item:

SAFE MODE DOS PROMPT ONLY

Then

CD\WINDOWS
DIR brasil.pif

There it is, with no time or date, very scary.
DELETE IT with

DEL brasil.pif
(I copied mine to brasil2.pif for Norton to examine, then deleted the original)
* YOU CANNOT DELETE THIS FILE IF YOU ARE RUNNING IN WINDOWS *

EDIT brasil.pif
(press Enter once or twice)
save that, return to DOS, now LOCK it:

ATTRIB +R brasil.pif

If you look at it again, DIR brasil.pif
it should have a date & time now and be about 4-6 bytes in length.
Reboot.

Because this virus is so deeply imbedded in your computer now you'll get a notice saying it can't find BRASIL.PIF. Get on the internet. You should see the bottom computer-green-lite not being lit when you are not doing anything.

If it's lit, you're screwed.. Transfer over all important files to another computer, access from LAN but leave LAN connection off when you're on the net.

Other than that, I don't even think re-installing Windows would work since a re-install just repairs certain parts and doesn't actually format even though it takes the same amount of time. An example of this is put ANY AOL Install CD in your computer and answer about two questions, decide to change your mind about installing it and exit.

AOL now says that IExplorer is brought to you by them and even has their LOGO for the spinning activity Icon in the top-right-hand corner. :)
You can't remove that now except with a cold FORMAT. Nice people AOL.

Obvious fix to either BRASIL or this is format your HD COLD.

My copy of BRASIL2.PIF self-destructed as I was sending it to NORTON for analysis. I didn't delete it, it deleted itself in transit. I also didn't have any other backups of it. I don't like to backup virii.

This is a very mean virus. Could someone please send me BRASIL.PIF PKZIPed. I don't think it will activate or self-destruct in a PKZIP file.

I'll send that copy to NORTON for analysis.
This is all I can offer.
Sorry for everyone that got it.
From WHERE is what I would like to know tho..

I didn't know virii could be this vicious.

Sincerely,
=David W=
dw817@yahoo.com
http://members.fortunecity.com/dw817

(to Vinod, your post wasn't there before I started writing this but is now, that's fine, I didn't know about the registry info, thanks)

We've got the brasil.pif mystery going on here too. I think we've managed to get it under control. After a number of experiments involving a lot of rebooting, zone alarm, and Symantec's article on W32.Opaserv.Worm I think we have it under control.

We thought we got rid of it doing the usual boot in MS-DOS mode, deleting files, registry keys, win.ini entries and what not, but it just KEPT COMING BACK!!

It appears that as soon as we connected to the internet a bunch of machines were trying to copy data to our machine through ports 1025-1030(partial zone alarm log follows)

FWIN,2002/10/21,14:43:07 -5:00 GMT,207.5.184.98:1026,12.84.245.205:137,UDP
FWIN,2002/10/21,14:45:39 -5:00 GMT,194.112.2.184:1025,12.84.245.205:137,UDP
FWIN,2002/10/21,14:47:45 -5:00 GMT,148.246.107.239:1027,12.84.245.205:137,UDP
FWIN,2002/10/21,14:47:49 -5:00 GMT,200.195.14.178:1048,12.84.245.205:137,UDP
FWIN,2002/10/21,14:49:46 -5:00 GMT,212.20.108.61:1026,12.84.245.205:137,UDP
FWIN,2002/10/21,14:50:14 -5:00 GMT,200.181.149.75:1027,12.84.245.205:137,UDP
FWIN,2002/10/21,14:52:35 -5:00 GMT,12.84.245.46:1027,12.84.245.205:137,UDP
FWIN,2002/10/21,14:53:41 -5:00 GMT,80.48.95.57:1025,12.84.245.205:137,UDP
FWIN,2002/10/21,14:55:22 -5:00 GMT,12.88.164.104:1030,12.84.245.205:137,UDP
FWIN,2002/10/21,14:57:23 -5:00 GMT,213.137.44.26:1026,12.84.245.205:137,UDP

Obviously, just running zone alarm kept brasil.exe brasil.pif (and scrscr.exe) from being copied to the machine. Symantec's article on W32.Opaserv.Worm explained the exploit that it was using. There is an exploit where a user does not need to know the whole password to write to a network share. brasil.pif just rewrites itself everytime you're connected to the internet. The articl makes reference to a patch for win95/98/me that solves this problem and for the last 10 minutes we have not gotten a relapse:

http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

My two cents...

Bill

Disable NetBios ports

Windows XP

Open the Start menu
Select "Connect To" (or "Settings", then "Network connections" if you're in Classic mode)
Right-click on the network connection icon that connects you to the Internet
Right click on "Properties"
Open the "Networking" tab
Highlight "Internet Protocol (TCP/IP)"
Select "Properties".
Click the "Advanced" button
Open the "WINS" tab.
At the bottom of the window, select "Disable NetBIOS over TCP/IP"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.

Windows 2000

Open the Control Panel
Open the 'Network and Dial-up Connections' icon
Right-click 'Local Area Connection'
Select 'Properties'
A window should open titled "Local Area Connection Properties" The middle of this window should have a list of components with checkboxes to their left.

Select 'Internet Protocol (TCP/IP)'
Click the 'Properties' button
Click the 'Advanced' button
Select the tab marked WINS
At the bottom of the window, select "Disable NetBIOS over TCP/IP"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.

Windows 95, 98, ME

Open the Control Panel
Open the 'Network' icon
Scroll through the components listed in the Configuration tab until you find and select the entry marked "TCP/IP" for your network or dial-up adapter.
Click the Properties button
Open the NetBIOS tab
Uncheck Enable NetBIOS over TCP/IP
Open the Bindings tab
Uncheck "Client for Microsoft Networks" and "File and printer sharing for Microsoft Networks"
Click OK
Click 'YES' or 'OK' to any messages that appear. Restart your computer.

Good luck

More info from Tim's post.

http://www.computing.net/security/wwwboard/forum/2813.html

Something else to look out for;
http://www.computing.net/security/wwwboard/forum/2814.html

ok, brasil.pif, as tied in with scrsvr.exe, is as follows:

There is a folder in c:\program Files\Common Files\Symantec Shared\Script Blocking . There you may find the SBSERV.EXE file and/or the SBSETUP file, along with 3 DLL files (scrAUTH.dll. scrBLOCK.dll, and scrTRUST.dll), and SBUILIST.DAT)
These are the 'virus' files. The company to blame is OPASOFT, it seems the virus updates itself thru their website. Anyways, in your registry, look everywhere at Hxxx\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ for the scrsvr.exe file activation. You can delete the registry entry on its own, but make sure to go directly to DOS MODE and delete the SCRSVR.EXE file. Before exiting the registry editor, make sure to look for and delete the line(s) activating the 'symantec shared\script blocking\*** -reg' commands. In DOS MODE, delete the BRASIL.PIF file too, and remove the line(s) refering to these files in your C:\WINDOWS\WIN.INI file. Delete the whole SCRIPT BLOCKING folder too (use the DELTREE command). Reboot your computer and it's got nothing to bug it anymore, so far as I can tell. Hope this helps anyone out there.

Woohoo! Finally somebody else has been having the same opaserv problems I have! =) Not that its a good thing, but I've had my Opaserv worm problems for a while, and Norton AntiVirus doesn't pick it up.

Anyways, I have a couple of details to add that haven't been mentioned yet. I've been having my Opaserv problems since October 1st, and have been unable to remove it using Norton AntiVirus. But recently (within the last few days), I noticed that along with adding scrsvr.exe to the win.ini file, its been adding brasil.pif to the win.ini file as well. Maybe that means this strand of Opaserv was timed to release a brasil.pif file around October 19th?
Also, today (October 21st), I noticed my computer has been sending out lots of requests over the internet. According to my ethereal packet sniffer, its sending out two requests, one on protocol ARP, whis is basically doing a bunch of who has this IP requests "Who has 8.27.90.205? Tell 192.168.1.157" The IP addresses it asks for appear to be somewhat random. Also, another request is made over protocol NBNS...ethereal is just describing it as "Name query NBSTAT *....." and so on. It appears its trying to scan our class C range firs...all the 192.168.1.XXX numbers, and then it moves down my tracert route and traces those...weird stuff.

Just to add, the company responsible is a Brasilian group called AlevirusSCS, some sort of wannabe 'cracker' group, defacing websites worldwide, trying to label themselves as Hackers, meanwhile giving guys like me a bad name. McAfee is very aware of these guys, as they have a bunch of viruses/trojans out on the Net. Try running Windows Update and get the Shared Level Password update (it's part of the Critical Updates if you haven't downloaded it already) or you can make a search on google.com and find MicrosXck's website that has the patch for direct download. hope this helps.

FaiLSaFe
AKA SyStEm ByPaSs

The Keyboard Cowboy of the World Wild Web

About the Brasil.pif "virus" how I found it and what I did to eliminate it: (Win 98 SE)
I noticed that my DSL modem was running alot when my comp was sitting idle. Investigated using netstat set at 2 sec.
To use netstat:
open dos window
type netstat 2 (runs it at 2 sec scans)
I noticed it was establishing an adress,
IP 61.189.199.195
This wasnt an authorized connect as far as I was concerned.
To eliminate it I did the following:
1) eliminate the line about the set screensaver brasil.pif line in win.ini file.
2)Run regedit; HKEY_LOCAL_MACHINE;Software;Microsoft;Windows;CurrentVersion;Run
Delete Brasil.pif line (I also deleted the scrnsvr line too)
3)Using Explorer go to Windows directory and find the brasil.pif file, right click it and get properties, uncheck the archive button, then delete the file.
4)reboot
For me this worked!! :-) good luck to you all too!
Dutch

This morning Nortan Anti-Virus reported that the file C:\windows\scrsrv.exe was infected with teh W32.Opaserv.Worm virus. I first opted for the delete file, then the repair, then the quarantine, but Norton was unable to do any of it. I updated my virus definitions and scanned my computer again, Norton found it and couldn't delete it, but this time it was able to quarantine it. I manually deleted the file, but when I rebooted Zone Alarm asked if I wanted to allow brasil.pif to get on the internet. With a little searching I found it in the win.ini file, but when I deleted the line it had there I got the blue screen of death and my computer promptly crashed. When I got back into Widows the line in my win.ini file had returned. This has nothing to do with how good my computer is, I have a very powerful computer which has only given me a few crashes in its lifetime. brasil.pif appears to be a shortcut, although I can't find what it is a shortcut to, and I can't delete it. I'll try some of the suggestions above though, thanks ;)

Using Win98, did what Dutch recommended (msg 31) and it seems to have worked. Thank you Dutch.

This whole thing has cost me a new Norton AV 2003 Professional... should have come here first...

Thanks folks...

Hi!

Please don't panic!
The most important point is to close the ports 137 / 139.

Look here:
http://www.kaspersky.com/news.html?id=963739
http://www.kaspersky.com/news.html?id=961679

Just after closing these ports, it will make sense to remove this worm with one of the cleaning tools.

If you need help, you'll certainly got some at http://www.trojaner-info.de - although it's in German!

Regards, Markus

>This whole thing has cost me a new Norton AV 2003 Professional...

No - that's not the jumping point!
It's unimportant which anti virus software you use. It's important to close open ports!

Regards, Markus

Taken from Response Number 29
Brad Peterson wrote:

>Not that its a good thing, but I've had my Opaserv worm problems for a while, and Norton AntiVirus doesn't pick it up.

Of course, it doesn't!
Norton Anti Virus (NAV) is detecting this worm, and removing the file. But NAV can't protect against the worm coming back again and again, because your NetBios is open!

Please follow the instructions from Response Number 25!

Regards, Markus

Olá, eu sou do Brasil.

Hi, I'm from Brazil.

I founded the brasil.pif file when I was trying to remove the Opaserv virus. After then I eliminated the Opaserv, update my Windows and put a firewall ( Tiny ) the problem disappear.

As a complete amateur in these matters, I'm completely indebted to all you people for your help in controlling opaserv and brasil - I followed all the instructions and things seem to have quietened down (though it was a bit scary making changes to the Registry - something I know absolutely zilch about).

But one thing still worries me - if McAfee (my virus program) knows about these viruses' behaviour, why is my first warning of their presence always a Windows message of the sort "can't find scrsvr.exe or one of its components", rather than a McAfee alert? And why does a virus scan do nothing more than delete scrsvr.exe, when there's all that dangerous stuff lurking in the Registry?

And also this, very basic, question: my wife came to me after I'd been sweating with this all evening and asked "but what does this virus actually *do*?" ....and I couldn't offer an answer! What damage does brasil and its relatives actually cause?

The virus isnt so new its a sort or redition of the bin laden_brasil.exe of the last year
the thing nobody said is that the virus modifies the system.ini file at the
shell=explorer line adding 3 random variable.exe files that of course are the virus.
You should experience also that a message appears like explorer has caused an error in .
Its copies in some versions an invictus.dll at c:\windows
Solution block ports as Markus says
then delete registry hives
then write on system.ini shell=explorer.exe
finally delete invictus.dll and overwrite with notepad scrvsr.exe and brasil.exe and .pif with 0bytes length. Put read only ,then try to delete from prompt or take out hard disk and access with another operating system as slave and delete it or install winnt 4.0 and delete the pif file.
For more information go to syamntec search and put brasil.exe and Read!!!

Questions:

In the win.ini file it looks like this:

[windows]
load=
run=c:\windows\scrsvr.exe,c:\windows\Brasil.pif
NullPort=None

Do I delete the entire line that begins with run or just a portion of it?

2) I ran regedit but I am not showing the brasil in any of the registry including the HKEY_LOCAL_MACHINE area. What does that mean?

3) In c:/windows I have the following

Brasil - this is an application

Brasil - this is a dos file

Will I uncheck archive on both of these and delete them?

Thanks for the replies..I need to get rid of this but don't want to mess up my system.

I've got more in win.ini:

run=brasil.pif,brasil.exe,alevir.exe,scrsvr.exe

Every time after I erased them, they randomly come back. What could I do?

Is alevir.exe a new tail of opaserv?

Brasil.Pif "virus" addendum !!
I have received several emails about using this technique for deleting the appropriate files. Let me add that this WILL NOT work unless you have installed ALL security patches and tech updates from Microsoft!!!
The tech bulletin that applies to this security is hole is:
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

Sorry about this!
Dutch

I am also having fun with this virus... (and thanks for the various posts above, they have been very helpful) I'm a little confused because I have not seen anything in win.ini as described above (this could be because I never looked there until after running the symantec tool to remove srcsvr.exe?)

I do have a file called put.ini, which I see mentioned above - what should I do to/with this file? I managed to delete the brasil.exe and the brasil.pif files (thanks again!), which haven't come back so far, but do not feel confident that I have cleansed my system yet. (I downloaded the security patch, but haven't installed it yet - it was time to go to work.)

also, how does one block port 137? (or 137-139, as suggested above)

reviewing my security log i noticed brasil.pif was trying to contact, among others, the air force, dept. of defense, new york city PD, medical centers... does anyone have an idea what it's trying to do there? just spread itself? i read elsewhere that this virus was one which copied the victim's harddrive to the remote controller, is this true?

any answers to my above queries would be most appreciated (sorry if this is a rather long-winded post, i was up half the night messing with this and am not at my most coherent right now.)

be well.../julia

Thanks to all here. Do you think
that this virus could have disabled
safe mode bootups. When I try it,
after loading a few drivers the computer
does a power off shutdown. It will do a normal boot though.

The problem in my previous post #44 is entirely unrelated to the brasil.pif. It was another problem that cropped up while trying to deal with the virus. I apologise for any confusion.

If anybody who knows could respond to number 40 above I would appreciate it.

Answers to 40:

"Do I delete the entire line that begins with run or just a portion of it?"

Delete the whole line.

"2) I ran regedit but I am not showing the brasil in any of the registry including the HKEY_LOCAL_MACHINE area. What does that mean?"

do you see scrsvr.exe anywhere in there? 'brasil' is a sort of bonus prize which comes with scrsvr.exe (brasil being part of a new variation of the W32 Opaserv worm), and that's probably what you will find in the registry. (that's how it was on my machine.)

"3) In c:/windows I have the following

Brasil - this is an application

Brasil - this is a dos file

Will I uncheck archive on both of these and delete them?"

If you are running windows you won't be able to delete the dos file (brasil.pif), you can do a restart in ms-dos mode to delete it, or boot to a dos prompt - at the c: prompt type "del brasil.pif" (without the quotes) the brasil.exe can be deleted while windows is running (at least, i was able to) - i think this is described in an earlier post, also.

there is additional info at the symantec and kaspersky websites - symantec has a free tool for getting rid of scrsvr, and fixing changes it's made - you may want to run that tool before manually getting rid of brasil (i am not an expert, but this has seemed to work on my machine, without it coming back, which some of the people above have been describing.)

Now if anyone has any answers to number 43...

good luck.../julia

Larry, I'll respond to 40! =)

I just spent 6 hours yesterday researching and removing this virus on 5 computers on our network. Here's a few things to help you out. First, boot up into safe mode. Next, you will need to work with your win.ini file. You need to be very careful with this, because sometimes (3 times on our network) it virtually deteted all of the content out of the win.ini file (this caused our fonts and printers to be messed up). Luckily, on one computer, the virus made a copy of the win.ini file before destroying most of its concents, and placed that copy the C drive as c:\put.ini. So on that computer, I did a
"copy c:\put.ini c:\windows\win.ini" If you have a put.ini file, make sure you copy that back into your windows folder as win.ini If not, just go into your regular win.ini file. Once you're in your win.ini file, remove the ENTIRE line that started with "run=". The stuff after the run= are commands that helps your computer run correctly...they are not from the virus.

Next, go into your windows folder, and delete the brasil files (brasil.pif and brasil.exe, if it exists).

Next, run notpad, and then save the blank page and call it c:\windows\brasil.pif. Do another blank page and save it as c:\windows\brazil.exe. Now, go back to your windows folder, do a right mouse click on the brasil.pif file you just created, go to properties, and click on the "read-only" option. Do the same for the brasil.exe file. What you have just done in this process is created dummy brasil files that the brasil virus cannot overwrite. So for example, if it tried to get back on your system, it will try to copy itself in the windows directory. But those two files you created with brasil's name will refuse to be overwritten, and bingo, you've blocked the virus.

But that's not all yet. You will need to go into the following folder, if it exists. C:\program files\common files\symantec shared\script blocking If this folder exists, follow the instructions on Response Number 28. Like he said, you'll need to delete the whole script blocking folder and all the files in it. One thing that wasn't specifically mentioned that I found may help is to search the registry for every .dll file that was in the script blocking folder. (For example, first search scrAUTH.dll, and delete anything with any reference to that) I found roughly 20 registry entries overall from these dll files in there.

Go ahead and reboot your computer, and the virus should be gone. I haven't seen it come back yet (I have also run the patch from microsoft, many people listed the link above), but I haven't turned off my netBIOS ports, (as others have mentioned). Our entire network seems to be doing fine now.

I hope this helps, if you have questions, just write back.

Brad Peterson

Reply for 40
1) If you don't know the programms behing RUN= or Load=, just delete the whole line

2) If you don't find entries with these names by regedit, be lucky they made it not to there yet.

3) Whether application or DOS just delete them.

4) If you then produce files brasil.pif, brasil.exe and scrsvr.exe with no content and mark them write protect, it may be a little harder for them to reoccur.

Good luck

PS. I use Zone Alarm now and it seems to hold.

Julia, in my previous post (#48) I talked about the put.ini file. Its essentially a copy of your original win.ini file, except with the run= line in there. I was actually very happy to have that put.ini on my laptop, since it contained lots of info for my computer that the virus later took out of my win.ini file. So I coped my put.ini file over the top of my win.ini file, then removed the run= line, and bingo, my computer was back to normal. All of my printers and fonts that were messed up because of the virus were now running well again.

As for the ports...I'm not too sure if thats just a rumor or not. Our network is fine now, and our ports are still open.

As for the communication, I mentioned some stuff on that I think in post #29. I had a packet sniffer that tracked the network requests made by the virus. First it picks your network IP address, say, 192.168.1.XXX, then it runs down the list of all 255 possibilites. 192.168.1.0, 192.168.1.1, etc. After that, it seemed to just pick random IP addresses, say, 19.192.38.XXX, and then go down that list of all 255 in there. I never checked like you did if these sites match up to anything important.

For those of you who are deleting files within the C:\Program Files\Symantec Shared\Scriptblocking, this is not necessary for the removal of this virus.

By looking at the path, it provides insight as to what these files are: Norton AntiVirus Script Blocking components.

If you think I am incorrect, check the file properties, Click the Version tab, and look at the Manufacturer. By deleting these files, there is a potential to break Windows Scripting.

I regularly check system configuration for unknow programs (by going to START..RUN..and ENTERING "msconfig") I found that brasil.pif and scrsvr.exe running... It really pisses me off to know that people would waste so much time writing such malicious code!! I have sensative files on my computer and dont want to loose anything!!!

FORGET THE WAR ON TERROISM THIS IS THE WAR ON COMPUTER NETWORKS!!

main questions...

1. DO THESE VIRUSES DAMAGE or ERASE ANY COMPUTER FILES?

2. DOES ANYONE REALLY KNOW THE FULL EXTENT OF THE DAMAGE THAT THESE VIRUSES CAUSE ??
(I know I should have got a MAC)!!

please help!

Chuck
((Part of me thinks that this was done by the people that make virus programs.. so they can sell us new software..or maybe Ben Ladin learned coding, moved to a cave in Brasil somewhere with a really powered laptop and a cell phone..Let's hope some jounalists get infected so It'll make the evening news..Who ever created this thing, I hope they rot in hell!))

Following scrsvr.exe i spotted that brasil.pif acted a similar way so i used the similar method to get rid of it - pretty much of what everyone had said about deleting line from win.ini, deleting regedit values, del the files from dos, etc. i did not know though the netbios and closing the ports although i didnt have a problem of either coming back. However i think the problem with my computer has worsened since today NAV picked up a virus called alevir.exe (assumingly the alevirus someone has mentioned before that is behind all this opasoft).

After reading all these wonderful ways to get rid of the worm I noticed that in checking any file containing the text 'brasil','scrsvr' or 'puda' returned a lot of files, most of which are system files and I would not be confident to fiddle around with.

I have also attempted to change the NetBios setting as recommended by Msg 25 (I have Windows 98) however the tickbox for the setting has been disabled (grey). Is there any other way I could change the setting. Can I not just close port 137/139 since it seems to be where the problem lies anyway?

i would very much appreciate any help!

FOR ALL YOU WIN ME & XP USERS:

Dont't forget that Win ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You might want to disable the System Restore Utility to remove the infected files from the C:\_Restore folder and then turn it back on. Just a suggestion.

V-Peace-V

Chuck,
The virus will cause minimal damage to your system. Norton Anti-virus's website, doesn't mention anything about any damage. But according to me, it can cause damamge. =) I've seen it firsthand. The biggest issue is that it can remove virtually everything out of your win.ini file. This means things like your fonts and printer settings will change or no longer work.
Sometimes the virus will make a copy of your win.ini file and call it put.ini in your c:\ before it deletes win.ini's contents, (see message 50). The best way I can tell to see if your win.ini file has been damaged is to go into a DOS prompt (Start->run, and then type in command), go into the windows directory (cd c:\windows), and then look at the win.ini file to see if it has been damamged (dir win.ini). If your win.ini file has no date or time, its been hit hard. If not, just follow the instructions everyone has listed so far. If your win.ini file was hit hard, I wrote some more instructions in message #48 to help (just follow the first paragraph to get your win.ini file)

Other than that, the virus doesn't erase any files, create malicious attacks, etc. Everything else it does is just mildly annoying.

NOTE TO EVERYONE!
I just check Norton's website for the opaserv worm. They just updated it, after having left the page alone for weeks. Although they still don't mention a single detail about the brasil.pif file. At least this shows they've noticed a new problem and hopefully they're working on better fixes. (I sure hope so, they're tools would never remove it from my computer)

*** removal instructions ***

Hi!

As I told you before:
The important point is to close ports 137-139!

Stand-Alone-PC's:
Win 95 / 98

Rename the file vnbt.386, which you usually find in C:\WINDOWS\SYSTEM, to vnbt.386.old, and reboot your machine.

PC in a network:

Please look at http://www.trojaner-info.de/report_port139.shtml - it's a German Site. If you need a translation, just tell me. But now it's already too late, I need to sleep now. ;-)

Regards, Markus

Hi.

(I use win98)
I got all the four versions of the warm:

1. scrsvr.exe
2. brasil.pif
3. brasil.ini
4. alevir.exe

This while protected by Norton Antivirus 2003 (ok, NAV cannot prevent this if ports 137-139 are open... but which antivirus one should use to be safe?)

Cleaning the win.ini file, the register and creating the read-only dummy files seem to work, but something is not yet clear to me, I shall be grateful to anybody answering:

a) me and my roommate connect to the same server from the same house, using the same software, with two different computers: I am continously infected while she has never been: SO, is there some software in my computer (or something still hidden after the first infection) which "attracts" or "calls" the virus from somewhere when I connect to the internet?!? Otherwise I cannot explain continuous infections...
Now I am "clean" thanks to the dummies but the virus is still trying to infect me (I forgot to switch the brasil.exe dummy to read-only and I've beeen infected again after 5 minutes!), so I cannot feel safe until I understand what "calls" for the infection (by the way, if the virus appeared with a fifth variant beyond 1.-4. above, would be easy to be infected again...)

b) The solution seems to be the closure of ports 137-139. BUT does this affect the working of Windows (or, in other words, what's the task of these ports)?

Thanks to everybody for this forum...

Giulio

Hi!

>is there some software in my computer (or something still hidden after the first infection) which "attracts" or "calls" the virus from somewhere when I connect to the internet?!? Otherwise I cannot explain continuous infections...

No!
Let me explain:

It's an old and well-known problem of Windows. There isn't anything that is calling for the worm, no: the worm is "visiting" you, although without any invitation. ;-)

It's like an open door at your house. Everybody would go inside, although he / she hasn't been invited. ;-)

>b) The solution seems to be the closure of ports 137-139.

It doesn't just seem as if! Of course it is the solution!

>BUT does this affect the working of Windows (or, in other words, what's the task of these ports)?

Well, it's a bug, and not a feature!! Again: Just close these ports! It's just an advantage to close the ports!

So follow the instructions above: rename the file vnbt.386 to vnbt.386.old, reboot your machine, then delete all malicious files and be happy. ;-)

Regards, Markus

I wrote:

So follow the instructions above: rename the file vnbt.386 to vnbt.386.old, reboot your machine, then delete all malicious files and be happy. ;-)

Addendum:

If someone has got a network, it's not as easy as described here. Please pay attention to Response Number 56!

Regards, Markus

No one seems to be talking much about the role of shared drives in this infection. I am on a network and the only computers that were infected by this worm had shared drives... one was passworded, the others had no passwords.

If you have your c: drive shared, and you don't need it shared, take sharing off. If you have your drive shared for a reason, take it off while you remove the worm, download the security patch from Microsoft at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp, and turn sharing back on with a password that is not easy to crack (i.e., not a dictionary word).

Trish

Further question on closure of ports 137-139.

As per response 56, if you have win98 in a peer to peer with a hub connection. If you rename the vnbt.386 file, have you closed ports 137-139?

Thanks to everyones help I thought I had cleared Brasil.Pif. But it is back on one computer so far.

I had removed the run line in win.ini & NAV had deleted the brasil.pif file. I created brasil.pif, brasil.exe, and alevir.exe as empty files with a +r attribute. I also checked regedit for any occurances of Brasil (didn't find any on most infected computers).

Now after exactly 48 hours, 1 of the computers is reinfected with Brasil.pif. It looks like it renamed brasil.pif to brasil.pif.pif (which is still read only), then created its own virus version of brasil.pif. Also, I noticed that the root has a hidden folder called TMP.INI which doesn't seem to have any files in it. Also, win.ini has the run statement back.

Does anyone have any ideas?

I have setup the dummy files again but hesitating about plugging this computer back into the network & about to disconnect the other computers that have been infected in the past by opaserv.

GRRR!

Alright, after following many tips, and thinking I had brasil.pif gone for good, I now have the scrsvr.exe and alevir.exe viruses. I thought our network was clean, but nope, somethings back. Just a note for anyone trying to use my prior suggestions for cleaning out the virus, DO NOT DELETE THE SCRIPT BLOCKING FILES FOR NORTON ANTIVIRUS. They mess up your anti-virus software, and they'll mess up Internet Explorer's JavaSciprt. I had to reinstall both products.

Anyways, I seem to be at a final option. Those Ports 137 through 139. I need to turn them off. Unfortunately, many people have basically said "You just turn them off...you idiot...I mean...jeez, we learned that in 1st grade." While the rest of us are saying "How do we turn it off! We don't know German! Don't give us German links!" If anyone can write clear cut instructions on how to turn off these ports in win98, I would be extremely grateful.

Ok! I found a great website that describes in clear detail and nice screenshots how to close port 139! (Well, actually you're turning off NetBIOS, which may be ports 137-139). This site is listed here:

https://grc.com/x/ne.dll?bh0bkyd2

The first page contains a couple of tests, a shield scan and a port scan...very nicely done..run those for kicks.

If you scroll down to section 5 "Network Bondage", it will explain how to turn off port 139. (Its kind of a round about solution. You do not simply uncheck some box labeled "Port 139?")

I hope this helps. Since turning off the port, I haven't had any reoccurring problems. (I turned it off an hour ago, but I was getting virus warnings from Norton every 15 minutes).

If this doesn't work...darn...I'll have no clue what to do.

symantec has released a free tool to remove opaserve.e - aka brasil.exe/.pif - if people are still having problems, you can find that here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html

even tho' my system seems to be ok again, i think i'm going to run it myself anyway - good luck, all, and many thanks again for eveyone's comments & advice.

be well.../julia

I don't know if anyone is still following this thread or not. My concern is Marcus is demanding that everyone close ports 137-139. Stop and think people. If you do this you shut off your network connection!!! Yes you get rid of the virus but you also get rid of your networking!! My computers share an internet connection so I can't do this. And you say Norton doesn't find it? NO on a scan mine didn't either, but upon boot up I get this big red screen saying I have these infected files on my pc and what would I like to do with them? And I have to tell you I didn't spend an arm and a leg on the brand new NAV 2002 Professional version. All I had on my machine was NAV 5.0 with a live update downloaded after installation. Wiped it right out, but ya it kept coming back. For 2 days I battled it. Till I found I could go into msconfig/Win.ini and edit the lines out of there. Mine just so happened they attached themselves to other command lines so it wasn't as easy as just deleting the lines. So be careful in deleting too quickly. I can only assume the Microsoft patch works because I put it on and no more virus. But in the mean time I was given some software last x-mas I hesitated to put on at the time. Now I am thankful for it. A stupid old program called: Security 98. It makes all your system files "read only" and can be setup to notify if there is an attempt to change them. It also offers a virus scanner/file encryption/internet secure mode/ and a whole lot more. Now it is installed on both pc's and I don't have the virus anymore. I even uninstalled NAV to see just how good it works. But this is just my way out of this. My main reason for posting was to try to counteract Marcus's demand to close network ports. You can't access networked files/printers if the ports are closed. I guess he hasn't figured that out yet.

I connect via a cable router, have three PC's that access the web via this network. I used the steps identified in #64, it works great and my ports are closed. I had to print out all 17 pages to follow step by step, but it was worth it. I convinced closing the ports is key. The web site will explain why and walk you thru it

OK this is how FOR SURE Search
Win INI. del all values
search reistry del all values
search hard drive del all values exit into dos mode del all values in windows restart
they will be gone when searching
search
Brasil.exe,
Alevir.exe
Scrsve.exe
Scrsvr.exe
marco!.exe

REMOVE ALL OR IT WILL COME BACK