One possible reason why this virus keeps reappearing is due to a protocol built into windows called Router solicitation. This means that when your ports are open or your firewalls down youe system sends outyour IP address to a mulicast server(log IP 224.0.0.2). This must have got set up by a previous infection. This as the effect of broadcasting your IP to whoever wants to listen( similar to announcing it on a radio)(MS knowledge base Q223756). The virus is then sent back to your system under the various names and you become reinfectd unless your virus scanner picks it up. The cure is to download a file called tweak up (free) from www.homestead.com/tweakup/tweakup.html and run a program called diable IRDP. This amends your registry to turn the transmission off. Since doing this we have been virus free for 24 hours running without any firewalls or ports locked out.

This looks like a very good possibility. I was curious of the vnbt.386 ITSELF being infected... Theres a program called PrcView http://www.xmlsp.com/pview/prcview.htm With this tool & a little knowlege how to use it, you'd be suprised how many bugs you can trace down! I am confident someone with the virus experiments & logs the changes with this tool can come up with a permanent fix!. This viewer shows ALL the processes in use & what threads, modules, memory etc... logging the changes & seeing EXACTLY what they are doing will lead to the fix. (duh? you knew that) Come on GURUS! Show em! I do not have the virus just trying to help, I'm tired of seeing the trouble you are all having trying to rid yourself of this critter, especially with all the "fixes" out there by the big AV vendors NOT working. Hope this is helpful to someone, I know PrcView has taught me ALOT! Good Luck Speedy

Oooh...good idea. Its nice to hear other people thinking hard about this Opaserv worm. From my experience though, I'd have to say I'm 80% sure the virus is constantly on my system, rather than it being downloaded every time I'm online. Here's why: I had my firewall on for days, and I had no reports of a virus. I scanned my computer using numerous Opaserv tools. They came up saying I was virus free. So I loaded up my packet sniffer (it watches every single bit of network traffic over every protocol), and waited. I also kept a close eye on my dial up networking traffic (thats the beauty of dial-up connections. Your network connections are slowed waaaay down to the point where you can actually watch the communication). After this, I disabled my firewall, and waited. 10 minutes later, I noticed outbound communication over my dial up connection, and some inbound as well. This communication took the form of "who is at this IP address" type requests (all of which over one of the ports 137-139 by the way). I didn't see any actual file data transfer according to my packet sniffer. Then, roughly 30 seconds later, Norton picked up marco!.scr on my hard drive (I had not previously had this variant until just now). This leads me to believe that the virus waits, dormant...and then periodically checks if there's open ports to start scanning (and/or get toggle switches for a new variant or just download new variants). This seems to help explain what Angie saw, over on this post: http://www.computing.net/security/wwwboard/forum/3028.html Here's part of what she said after she got her firewall up "Anyway, we have been virus free for over 24 hours now (knocking on wood again!). I should note that I have seen in my firewall's traffic log attempts from various IP addresses to connect with us through port 137. And the strange thing is, in the "Rule name" column of my traffic log I see a strange rule name for these and only these attempts: GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP" Now to back up your side of the argument, I haven't fully verified that there isn't any data transfer coming over my connection (I just glanced at the inbound and outbound traffic, which my packet sniffer all reported as "who is this" requests. I could, for example, see if the size of bytes downloaded matches up with the size of the virus executable before the transfers stops and Norton picks up the virus. Also, you're answer sounds really cool and technical, so I want to believe what you say =) Anyways, like I've said in Angie's post (linked above) here's my plan. I'm going to figure out exactly what this worm infects. I plan on installing win98 on a fresh machine, loading on Norton Anti-virus, hook up a network card, and then install a 32-bit installation monitor. I'll take a snapshot of the computer, then hook up the network cable...wait to get infected, and then take another snapshot. That will tell me any files that have changed in size, date, or content, as well as listing every change to the ini files, as well as every registry addition. Cool huh? That should narrow down where this virus is *really* stored. I'll post the results when I get them. Unfortunately, I spent 6 hours over the weekend scrapping up a bunch of old parts, then making this computer boot up into win98 without freezing, and then right when I was ready to take a snapshot, I accidently infected the computer. GRRR! So I'm starting over now...installing windows on a fresh hard drive. I'll post the results when I get them. Hope all this extra info helps, I really appreciate everyone who has worked hard to figure out whats the true source of this virus. Keeps us all posted with your ideas! Brad Peterson b_peterson@yahoo.com

Wait wait, on second thought, I completely misrepresented Angie's situation. She said something was trying to communicate her computer, rather than her computer trying to communicate out. Hmm...that's odd...because for me, I'm on a dialup connection, and my IP address changes every time I reconnect. The virus shouldn't remember where I'm at. I'll make sure to open my ports back up while keeping my packet sniffer on, and I'll very very carefully watch the data transfer to see what what was first, my computer requesting out, or something else requesting in. Also, I'll watch the data coming across the connection to see if what kind of data comes across. Brad Peterson b_peterson@yahoo.com

I did a binary dump of the package leaving my system (solicitation package) and the first 8 bytes are youe current IP address. When you log on to youe ISP your are assigned a IP address by your ISP so even though it's different each time the package that leaves your system contains your current IP. The package is sent via kernel32.dll so if this is not blocked by your firewall the you get reinfected.If you keep getting infected to prove the cause set kernel32.dll to prompt under sygate. This will give you the chance to see the package and do a printout. Look out for the outgoing IP address of 224.0.0.02 this is the multicast address router where your IP is forwarded on from to the hacker who is sending the virus backout. This was perhaps because the opra site was closed down and this way it is hard to trace the virus supplier.Try the tweak registry update I posted earlier(after a virus scan & removal) and you will see the infection stop.

I'm writing this because many people have had problems and are confused on how the Opaserv worm works. This article came in response to many peoples hard work trying to figure out the virus, including Reginald, Angie, mr.dish, and myself. This article will better explain how the virus works, and what tests I ran to determine that. (if you want to see more about this virus, read all the opaserv threads on this site) I ran a test with a packet sniffer nd a dial up internet connection. I then turned off my firewall (opened my ports 137-139) and then waited. Here's the results: At 11:42 a.m. I opened my ports. At 11:45, I noticed large amounts of communition. 15 seconds later, Norton informed me that I had alevir.exe During this time, I received roughly 47k bytes, and transmitted out 6k bytes. Now I looked at all the data, and WOW! I'm got tons of information! The first transmission was outbound, doing something over the netbios protocol (port 137 in this case). This IP address responded quickly to me in roughly .01 seconds. I'm betting my computer remembers from previous experience that this IP address is also infected, and my computer can use it to get updates. Sounds like peer to peer eh? Now the reason I say that my computer remembers that this IP address will resupply me with an infection is...because the first time I got this virus, I'd watch my packet sniffer, and the virus started doing a bunch of "name qeury NBSTAT" requests down my IP list, starting at 192.168.1.0 to 192.168.1.255, and then it moved onto another IP range, and started querying those. But this time, my virus doesn't do that, it queried one IP address, and immediately received a response. That IP address eventually sent me either the virus or Netbios requests to launch the virus. This means that some other person, on my ISP, is infected, tried to send me the virus! Wow, I'm still amazed at how creative this virus is, I've never seen one work like this before. Ok, 0.339681 seconds after the transmission began, I communicated again with this other nearby IP address on my internet service provider, and it sent me a command to create windows\brasil.pif (my computer rejected that, since I had made a +r brasil.pif dummy file). This communication took place over port 139. WOW! THIS IS COOL! It sat for roughly 137.1 seconds, and then it made another "name qeury NBSTAT" request...(i'm guessing "do you contain a virus?" request) over the Netbios protocol to an ENTIRELY different IP address. This one is located in Mexico. In the request, you can see a the request out and the request in contain the same coded data. (....) Also, this request took place over port 137. We instantly communicated again after I received the coded response that this computer did have a virus for me. This new communication took place over port 139. The contents of this communication are much much larger than the other one. In the first few lines, this one didn't ask me to launch brasil.pif like my first transmission did, this one asked me to launch alevir.exe! This explains why sometimes you randomly get infected with different variants of the virus. Your computer is searching for other infected computers, and when it finds one, that infected computer sends you whatever virus it has! Its like random peer to peer, you get whatever they send you. My first time, it was brasil.pif; the second time was alevir.exe. This also explains that you aren't receiving the virus from a hacker, but instead somebody else who is infected. (Reginald, yours came from IP address 224.0.0.02, mine shows no trace of communication with that port) Anyways, the contents of this alevir transmission were much larger, some 44000 bytes, compared to 285 bytes. I believe I have an explanation for this. The 285 byte transmission tried to create brasil.pif, and my computer sent back that it failed (because it couldn't create it due to the +r read only flag on the dummy brasil.pif file). Because it couldn't create the file, the virus stopped communicating. As for the 44000 byte Alevir transmission. I do NOT have a dummy +r alevir.exe file. Therefore, when the network communicatin started, it tried to create alevir.exe, and my computer instantly sent back a a "response completed" communication. Therefore, the virus kept the communication going. I then received a lot of stuff, can't tell what it is exactly, (if I had an alevir.exe file, I could check to see if portions of the binary code matched the binary I received over the transmission. I'm betting though it is the alevir.exe executable.). Intermixed with this communication are some readable code, namely http requests of all sorts to www.n3t.com.br, as well as a bunch of dll file names and threads associated with them (API calls?). There's also some registry keys, file names like alevir.exe, alevir.dat, alesout.dat, puta!!.exe and so on. Finally, I see a "windows\win.ini" in there. Yep, looks very suspicisouly like the virus executable. Now here's another scary part, after I appeared to receive the virus executable, my entire win.ini file was sent BACK to the computer I recieved the virus from! Is that creepy or what? Luckily, I'm not sending it back to some hacker, but rather some other person who's infected. So I bet if I leave my ports open, and some other person requests the virus from me, I could watch the network communication, and see their win.ini file. After my win.ini file was sent off, the transmission stopped. I then turned ZoneAlarm back on, and of course, I haven't had a virus since. So the following things can be concluded from this: 1) The executables of the virus are taken off your computer by anti virus software, but not the rest of it (or all of what it changed). 2) Something, somewhere on your computer, tells your computer to query IP addresses over port 137 until it finds a computer that is infected. 3) If you've been previously affected, your computer *remembers* what IP address can be called to get reinfected. 4) When an infected computer is found, communication instantly starts over port 139, where the virus tries to create a file on your computer in the windows directory (whatever opaserv variant the infected computer has). 5) If the virus can't create that file it sends back an response saying the creation failed. The virus stops making further requests. It will then request again a few minutes later (137.1 seconds in my case) 6) If the virus could create the file in your windows directory, it sends back a response saying the creation was completed, and then the infected computer downloads the virus executable code to your comuter. 7) Your win.ini file appears to be sent back to the infected computer. 8) The virus runs, and Norton (or whatever anti-virus software you have) catches the executable, and removes it. 9) This also removes any idea that the virus morphs into a new variant on a particular date, but is instead released onto the intneret by some person, and then it spreads acrossed the world. I hope this helps anyone trying to understand how this virus works. I later plan on taking a snapshot of a clean computers hard drive before and after an infection to see exactly what files changed in size/date/content, as well as .ini file changes and registry key changes. I'll post the results when I get them. Hopefully that will tell us how to fully remove the virus from your system instead of supressing it. If you are here looking for a fix, try my solution on this post: http://www.computing.net/security/wwwboard/forum/2985.html or other people's solutions. Brad Peterson b_peterson@peterson feel free to email me for help removing this worm, questions, etc.

Oops, I didn't mean for this post to be in here, It has some grammar errors =). The real post is found at: http://www.computing.net/security/wwwboard/forum/3101.html Brad Peterson b_peterson@yahoo.com