OK I am just trying to consolidate solutions to the OPASERV.WORM. Read these links. http://miataru.computing.net/security/wwwboard/forum/2897.html (My Original Post) http://miataru.computing.net/security/wwwboard/forum/2921.html http://miataru.computing.net/security/wwwboard/forum/2954.html They all have some scattered info that is different. If you read the first link, I put some pretty detailed info in there (JROB). I also talked about Zone Alarm. It is great to have on a network, except people can be blocked within the network from accessing computers with Zone Alarm on it. In that first link again I talked about how to correct that. Now someone has also stated that PUT.INI is in your root drive, and that too is true sometimes. I think that depends on the level of infection. If you read the PUT.INI it has the line that inserts the Brasil.pif/exe on your computer. I didnt talk about which registry key to delete when I mentioned it, and I should have. I took this from a post by lac8383: Delete this entry from your registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ScrSvr" = %WinDir%\ScrSvr.exe Now also alevir.exe and brasil.exe or .pif could be in there instead of SCRSVR.exe. Ok well I'll stop here, I was just hoping to eliminate too much confusion because there have been several posts about this worm.

Here's the answer to the put.ini information. The put.ini is essentially a copy of your win.ini file regardless of whether the opaserv worm actually trashed your real win.ini filr or not. Also, according to Norton, put.ini is involved with the brasil.pif variant. Also, I've seen 4 situations with the put.ini file. I've seen where there's no put.ini file, where the put.ini file is on your c:\ and your win.ini file is still the same in your windows directory, and where the worm deletes almost all the content of your win.ini, but there's a full put.ini file, and finally, no put.ini file with an almost fully deleted win.ini file. So to sum up, hopefully you're win.ini file wasn't trashed before you deleted that put.ini. If not, then you'll probably have to reinstall windows (to get fonts working again, along with printer drivers). ------- As for fixes. It is possible to use ZoneAlarm as your overall fix, even on a network. You just have to spend a lot of time configuring the settings by setting up a trusted ip zone and allowing certain people access, etc. Also, if you want a comprehensive overall fix, I've written a long article which I keep copying and pasting whenever anyone asks a question on how to stop this virus, and why Norton doesn't fully delete it. Here it is again: I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, alevir.exe, and then marco!.scr. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, downloaded the patch from Microsoft, cleaned out my registry, kept my win.ini file clean, made dummy scrsvr.exe and brasil.pif files with the +r read attribute flag, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =) IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS USES TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. YOU MUST CLOSE THOSE PORTS! So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it. I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here. https://grc.com/x/ne.dll?bh0bkyd2 Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Once you do this, the virus should be blocked from coming back every time you connect to the internet. By the way, make sure you also follow all of the tips listed on Symantec about the Opaserv worm. You must clean out your registry, win.ini file, and download the patch from Microsoft. The three Norton sites describing this virus are: Opaserv.A Opaserv.E Opaserv.G If all of this was too technical for you, then another great solution is to download the free version of ZoneAlarm here: http://download.com.com/3000-2092-10153456.html?tag=lst-0-8 Another quick and easy solution is to just disable file and printer sharing. I've heard from others that did the trick (As for me and most others, I need file and printer sharing) And as for one last side note, it appears that you can't fully remove the virus, you can only suppress it. For example, my ports 137-139 were closed, and I hadn't had a virus report in 7 days as a result. I scanned for the opaserv virus using both of Norton's tools (NAV and FixOpsv.com), and it reported I was virus free. Then I decided to open the ports and connect to the internet to see what happened. *BAM* The virus was back in 5 minutes! And I was on a dialup dynamic IP address! That means the virus waits on the computer, just waiting for open ports and an internet connection. So I closed the ports, and immediately all virus activity stopped again. To sum up, by closing the ports off, you'll just suppress the virus for the rest of your computer's life. Good luck! Brad Peterson b_peterson@yahoo.com (email me if you have problems, I'd be happy to help)

my computers invecktion thise virus how 're remove ? Tks

J'ai été infecté par ce virus et je l'ai eliminé sans problème! (.fr) "This worm uses a security vulnerability in Microsoft Windows 95/98/Me. It sends single character passwords to network shares to get access to Windows 95/98/Me file shares without knowing the entire password assigned to the shares. The affected systems include Windows 95, 98, Me and XP." GO TO ---> http://www.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

its very easy to remove brasil/alevir/marco!/scrsvr/insit files 1) share UR hard drives with READY ONLY (not FULL ACCESS) 2) remove keys in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 3) remove from c:\windows\win.ini file parameters from run= (there is 50% chance, U have entrys to these files) 4) reboot system 5) delete these files :) it works fine on LAN in my e-caffe

Hiya Brad, I have this problem at present, reading your comments confirmed my thoughts. I am also having problems with repetitive re-occurence of instit.bat at same time as alevir/brasil/marco!/scrsvr. As you describe, even removing ALL references in registers is only a temporary solution. Is your fix of disabling ports the only solution, any other suggestions you may have would be appreciated. Ta, Andy H

My computer has been infected with all these and mutant variants for some time now. Although I can keep deleting the files from win.ini, they reappear in short time when connected to net. I have found a shortcut to a dos file named 'Brasil' in the Windows folder but when I try to delete it returns "unable to delete this file". Also files Delis32.ini and Delis32.LNK have now appeared, can you throw any light on these, are they harmful derivatives? I am on Win 98SE I had Norton removed as that was not stopping it and now MaCafee is not either! Can you explain how to 'close' ports 137 / 139 as mentioned in some responses? I am not a competant computer boffin and at a loss as to what to do next! TIA Dave