OK, I am searching through the computer that was heavily infected with the fun w32.opaser.worm...ya know...with the nice brasil.pif and alevir.exe and scrsvr.exe etc. Well I found the brasil.pif and the scrsvr.exe again. I also found the tmp.ini file that is replicated from the win.ini and then reloaded as the win.ini file to reinfect. Now I came upon this file called WIN.SYD. It isnt an ini or anything, and doesnt have any fancy icon for me, just the windows logo on a piece of paper (icon. Well I double clicked to open it, and Windows asked what I would like to open it with. I selected Wordpad, and it opened up into a well formatted text document. And whattya know, another copy of the WIN.INI and in this file was a line that tells Windows to run every one of the files to name. The brasil.exe, the alevir.exe and the scrsvr.exe. Well I didnt know if this file was a needed file by Windows that was infected or a file created by the virus to do the infecting, so I just deleted the run line. I havent read anywhere in the forum about this file being found in the worms path, so I'm not sure if anyone else has knowledge of it. So here it is. SEARCH YOUR COMPUTER FOR FILE NAMED "WIN.SYD". And while your at it do a search for WIN.* and see if any other oddball files come up that may contain the code to run this virus. I hope that this helps in the path to eliminating this file once and for all. WhoDunnit

It appears that every opaserv variant has different names it copies the win.ini file. Its good to hear you found another one. However, its nothing to be alarmed about. You're computer will safely and happily ignore that .ini file since its not used in bootup. Since nothing calls that .ini file, you probably can just leave it alone. For example, on my computer, I have a directory dedicated to saving all the opaserv executables and .ini files it creates. Unless the virus knows about this directory, nothings going to try to access those files, not even Norton. However, you do bring up a good point by finding that .ini file. Sometimes the virus cleans out your win.ini file, and it'd be very nice if you found out that the virus made a backup copy for you. =) Brad Peterson b_peterson@yahoo.com

I have a win.syd file created on november 22, 2000, the files with .syd are created by using sysedit, or were from what I saw on a google search.

Great Job, WhoDunnit! Tomorrow when I get back into the office, I will make sure to look for this one! Thanks for letting us all know! ~~ Angie :)

I have been searching the files on this computer for odd looking ones, but that was at work. I'm gonna get back on it tomorrow. Good Luck All WhoDunnit?

I have all the same files including. Brasil.pif, Alevir.exe, marco!.scr, scrsvr.exe. I notice that even though the files are deleted and of courese removed from the HLLM\Software\Microsoft\Current Version\Run as well as the Win.ini the files seem to always reapear in the %system$ directory once a valid Internet Winsock is established. I monitor the Bytes send/rec and it sends about 100bytes then all of a sudden i start getting lots of receive traffic (WITH NO OPEN WINSOCK APPLICATION) then all of a sudden in the %system% directory another copy appears and a couple of seconds later a consistant stream of send traffic to GOD knows were...... Running norton Real time monitor keeps things from being sent out but what the %#@& is this thing and what in the system is telling it where to go on the WEB to get the infected file again.

David, You said "what the %#@& is this thing and what in the system is telling it where to go on the WEB to get the infected file again." Fortunately, I just wrote all about that in this post: http://www.computing.net/security/wwwboard/forum/3101.html No full answers yet...but its a huge start. Brad Peterson b_peterson@yahoo.com