I'm writing this because many people have had problems and are confused on how the Opaserv worm works. This article came in response to many peoples hard work trying to figure out the virus, including Reginald, Angie, mr.dish, myself, and many others. This article will better explain how the virus works, and what tests I ran to determine that. (if you want to see more about this virus, read all the opaserv threads on this site) I ran a test with a packet sniffer nd a dial up internet connection. I then turned off my firewall (opened my ports 137-139) and then waited. Here's the results: At 11:42 a.m. I opened my ports. At 11:45, I noticed large amounts of communition. 15 seconds later, Norton informed me that I had alevir.exe During this time, I received roughly 47k bytes, and transmitted out 6k bytes. Now I looked at all the data, and WOW! I'm got tons of information! The first transmission was outbound, doing something over the netbios protocol (port 137 in this case). This IP address responded quickly to me in roughly .01 seconds. I'm betting my computer remembers from previous experience that this IP address is also infected, and my computer can use it to get updates. Sounds like peer to peer eh? Now the reason I say that my computer remembers that this IP address will resupply me with an infection is...because the first time I got this virus, I'd watch my packet sniffer, and the virus started doing a bunch of "name qeury NBSTAT" requests down my IP list, starting at 192.168.1.0 to 192.168.1.255, and then it moved onto another IP range, and started querying those. But this time, my virus doesn't do that, it queried one IP address, and immediately received a response. That IP address eventually sent me either the virus or Netbios requests to launch the virus. This means that some other person, on my ISP, is infected, tried to send me the virus! Wow, I'm still amazed at how creative this virus is, I've never seen one work like this before. Ok, 0.339681 seconds after the transmission began, I communicated again with this other nearby IP address on my internet service provider, and it sent me a command to create windows\brasil.pif (my computer rejected that, since I had made a +r brasil.pif dummy file). This communication took place over port 139. WOW! THIS IS COOL! It sat for roughly 137.1 seconds, and then it made another "name qeury NBSTAT" request...(i'm guessing "do you contain a virus?" request) over the Netbios protocol to an ENTIRELY different IP address. This one is located in Mexico. In the request, you can see a the request out and the request in contain the same coded data. (....) Also, this request took place over port 137. We instantly communicated again after I received the coded response that this computer did have a virus for me. This new communication took place over port 139. The contents of this communication are much much larger than the other one. In the first few lines, this one didn't ask me to launch brasil.pif like my first transmission did, this one asked me to launch alevir.exe! This explains why sometimes you randomly get infected with different variants of the virus. Your computer is searching for other infected computers, and when it finds one, that infected computer sends you whatever virus it has! Its like random peer to peer, you get whatever they send you. My first time, it was brasil.pif; the second time was alevir.exe. This also explains that you aren't receiving the virus from a hacker, but instead somebody else who is infected. (Reginald, yours came from IP address 224.0.0.02, mine shows no trace of communication with that port) Anyways, the contents of this alevir transmission were much larger, some 44000 bytes, compared to 285 bytes. I believe I have an explanation for this. The 285 byte transmission tried to create brasil.pif, and my computer sent back that it failed (because it couldn't create it due to the +r read only flag on the dummy brasil.pif file). Because it couldn't create the file, the virus stopped communicating. As for the 44000 byte Alevir transmission. I do NOT have a dummy +r alevir.exe file. Therefore, when the network communicatin started, it tried to create alevir.exe, and my computer instantly sent back a a "response completed" communication. Therefore, the virus kept the communication going. I then received a lot of stuff, can't tell what it is exactly, (if I had an alevir.exe file, I could check to see if portions of the binary code matched the binary I received over the transmission. I'm betting though it is the alevir.exe executable.). Intermixed with this communication are some readable code, namely http requests of all sorts to www.n3t.com.br, as well as a bunch of dll file names and threads associated with them (API calls?). There's also some registry keys, file names like alevir.exe, alevir.dat, alesout.dat, puta!!.exe and so on. Finally, I see a "windows\win.ini" in there. Yep, looks very suspicisouly like the virus executable. Now here's another scary part, after I appeared to receive the virus executable, my entire win.ini file was sent BACK to the computer I recieved the virus from! Is that creepy or what? Luckily, I'm not sending it back to some hacker, but rather some other person who's infected. So I bet if I leave my ports open, and some other person requests the virus from me, I could watch the network communication, and see their win.ini file. After my win.ini file was sent off, the transmission stopped. I then turned ZoneAlarm back on, and of course, I haven't had a virus since. So the following things can be concluded from this: 1) The executables of the virus are taken off your computer by anti virus software, but not the rest of it (or all of what it changed). 2) Something, somewhere on your computer, tells your computer to query IP addresses over port 137 until it finds a computer that is infected. 3) If you've been previously affected, your computer *remembers* what IP address can be called to get reinfected. 4) When an infected computer is found, communication instantly starts over port 139, where the virus tries to create a file on your computer in the windows directory (whatever opaserv variant the infected computer has). 5) If the virus can't create that file it sends back an response saying the creation failed. The virus stops making further requests. It will then request again a few minutes later (137.1 seconds in my case) 6) If the virus could create the file in your windows directory, it sends back a response saying the creation was completed, and then the infected computer downloads the virus executable code to your comuter. 7) Your win.ini file appears to be sent back to the infected computer. 8) The virus runs, and Norton (or whatever anti-virus software you have) catches the executable, and removes it. 9) This also removes any idea that the virus morphs into a new variant on a particular date, but is instead released onto the intneret by some person, and then it spreads acrossed the world. I hope this helps anyone trying to understand how this virus works. I later plan on taking a snapshot of a clean computers hard drive before and after an infection to see exactly what files changed in size/date/content, as well as .ini file changes and registry key changes. I'll post the results when I get them. Hopefully that will tell us how to fully remove the virus from your system instead of supressing it. If you are here looking for a fix, try my solution on this post: http://www.computing.net/security/wwwboard/forum/2985.html or just check out other people's solutions on the Opaserv posts. Brad Peterson b_peterson@yahoo.com feel free to email me for help removing this worm, questions, etc.

Brad, you and JROB have put a lot of effort in providing some great information about this and help in getting rid of it. Thanks, and all the best!

Oops, I should have mentioned JROB in my list of people working hard to solve this virus. JROB, consider yourself recognized =)

thx for the info

I just started using this My Computing.net feature, so I selected this name instead of JROB I have been going by. Thanks capt and Brad for the recognization. This is why I like this forum so much, a lot of people coming together to put an end problems. I've learned a lot more about computers (I've been working with them since I was 8, and I'm 23 now, so I know some things lol) since I've been reading and assisting, as well as getting assistance from all the fine people that are generous enough to share valuable information. I hope this virus suffers a terrible death under the wrath we all have brough upon it. Good luck everyone and keep on assisting. WhoDunnit (JROB)

hi, i think you guys are great. but what what happends to ppl like me who doesn't really know the difference between TCP/IP and Netbios?? Need help in getting the virus out, and the site you recommeded, i'm sure it's a great site but too much information for me to digest. any easier way to kill this virus ? thanks, rachel ng malaysia

Thanks for all the information and for your great job. Only a question: How occur the infection? From an infected email or simply with Internet navigation? Thanks a lot, GianLuca Italy