Ok, there has been so much about this W32.opaserv.worm going about and I'd just like to share a solution and clear it up. I know there is a version with ALEVIR.exe and SCRSVR.EXE, and a newer version with BRAZIL.PIF and BRAZIL.exe. Now we got this at work two days ago, and it was up to me to take care of it (oh joy). Well I got rid of the files. I had to go to Dos mode to delete the brasil.pif. OK, I also deleted the TMP.INI folder that is created, and went into WIN.INI and deleted the run=. I also went into the registry where Symantec and Trend Micro Suggested and deleted the Registry Key. Now having all of it off, it kept wanting to just pop back on the computer. And no, I didnt even go on any web sites, it's just that we are on DLS at work, so a connection is always established. After cursing it for reoccuring, I installed Zone Alarm. And I was pleased to see the Zone Alarm alert come up that it was stomping on the site sending the virus. That is what I had to do to keep it off the computer. It was the first time I was really happy with a firewall. Well, I'm sorry for taking up so much time, and please feel free to list other solutions here for peoples assistance. Thank you all for your time. JROB

Well i did same thing, but why this site is getting in our pcs? or why this remote machine is trying to do that? there´s probably another Trojan running in our system giving them our ips to invade, otherwise the ZoneAlarm woudn´t block all the time these attempts to infect the system, the thing is, try to identify this trojan, and turn off zonealarm, cause if u have network zonealarm blocks too much stuff, with no permition.. see yya

gosh I read you letter.. soo dajavo but I had zone alarm aready runing.. and I cant seem to get rid of the durn thing one antivirus program calls it opus.a got rid of the scrnsvr.exe file thoug. still working on killing the brasil.exe shows up in win.ini.. did not see it in the registr this time. but I havent check it agian in the last few hrs

I'd set your Zone Alarm settings for the internet to the highest. From what I understand this form of virus gets in through ports 139 and 137. NetBIOS pretty much runs those ports on computers. Closing those ports might help as well. Also Cesar even if you have network, once someone is blocked, you can go into Zone Alarm and check out everything that was blocked. Just get the IP address of the person who was blocked and you can put it in Zone Alarms Trusted Zone. This is what I did at work so no one within our network is blocked.

I too have battled this thing. For more than just 2 days. And on more than just one pc. For me I already had NAV 5.0 running on it with the latest live updates. It did not catch it. I installed a program called Security 98. I still kept getting it. So I installed Security 98 on the other pc as well. Still kept coming back. So going back over the information given on this virus I went into my download folder to check all the files/programs downloaded recently. Still nothing. The info said it can manupulate itself to be in the form of a download. So after finding nothing on my pc, I went into my son's pc. Sure enough in his download folder I found this file that was infected. It was just called: DC27. It was a booter program my son downloaded, and it was infected. After deleting the infected file I have no more virus. And the Security 98 is a good program too because for my son he visits alot of sites where people try to alter stuff on your computers. This program stops them.

The following is the article I posted over on the alevir.exe thread (If you really want to understand the opaserv worm, read that thread, along with the brasil.pif thread) I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, and then alevir.exe. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, kept my win.ini file clean, made dummy scrsvr.exe files, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =) IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS NEEDS TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it. I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here. https://grc.com/x/ne.dll?bh0bkyd2 Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Good luck!

I too have been having to deal with the opaserv problem, which kept reoccurring day after day...I finally closed off ports 137-139 like others did and and changed bindings. So far I haven't been reinfected for 24 hours. Thank god! The GRC website is the only solution that worked for me. NAV removal tool is for the birds.