I have Norton Antivirus 2001 installed on my Computer and it gives me a message saying C:\windows\brasil.pif or brasil.exe or alevira.exe is infected with W32.Opaserv.Worm and when I delete the file it recurs again - please Help !

29 Oct 2002

so do I since this morning. Norton picks them up and you can quarantine the files.
But I then have trouble booting as it also tells me that scrsvr.exe is contaminated and when I quarantine this file I dont boot properly. On another computer not infected I cant find this file on the C disk so I assume it has written into the register a reference to the file scrsvr.exe and I will have to change the register entry.

Read all of these they are very helpful.

http://miataru.computing.net/security/wwwboard/forum/2921.html

http://miataru.computing.net/security/wwwboard/forum/2897.html

Go here...
http://sarc.com/avcenter/venc/data/w32.opaserv.e.worm.html

Norton's has the details on getting rid of it...follow the directions closely...

Good Luck
Steve

The following is a post I submitted on numerous threads discussing the opaserv worm (if you want to have a good readup on this virus, check out the threads: the alever.exe thread, the W32.Opaserv.Worm virus scrsvr.exe thread, and the brasil.pif thread.)

I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, and then alevir.exe. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, downloaded the patch from Microsoft, cleaned out my registry, kept my win.ini file clean, made dummy scrsvr.exe and brasil.pif files, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =)

IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS USES TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. YOU MUST CLOSE THOSE PORTS!

So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it.

I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here.

https://grc.com/x/ne.dll?bh0bkyd2

Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Once you do this, the virus should be blocked from coming back every time you connect to the internet.

Good luck!

P.S. (Make sure you also follow all of the tips listed on Symantec about the Opaserv worm. You must clean out your registry, win.ini file, and download the patch from Microsoft)

We had opaserv as scrsvr.exe (supposed to be opaserv.a) and as alevir.exe (supposed to be opserv.f).

i found a tool at pandasoft (http://service.pandasoftware.es/library/virusCard.jsp?Virus=W32/Opaserv.F)

which was fast and successful (the symantech-tool called "fixopaserv" did not find alevir.exe) - well, i used it about one hour ago, we will see what happens tomorrow.

good luck to all of you.

Just an update on fixing ports 137-139. You should only read this if you are running on a network. The site I mentioned above in post #4 advocates using NetBEUI for your internal network. Unfortunately, that can be a pain if you're running a TCP/IP internal network, and you can't switch over to NetBEUI protocol. So I looked for a way to allow me to run a TCP/IP network on a Windows 98 machine while blocking ports 137-139. But, according to grc.com, "the only way to close port 139 is for every single service to be unbounded from every single instance of TCP/IP."

What this means is, there is no way to use TCP/IP for an internal network while having port 139 closed!

So if you're in this sticky situation, you must put up a firewall. Either zone alarm for your personal computer, or configure your network's firewall. We configured our linux firewall to not allow any outbound communication over ports 137-139, and that should do the trick for us. (As for me, since I take my computer home from our office network to connect to the internet via Dial-Up adapter, I'll have to get Zone Alarm).

One of my earlier threads reads.

"I'd set your Zone Alarm settings for the internet to the highest. From what I understand this form of virus gets in through ports 139 and 137. NetBIOS pretty much runs those ports on computers. Closing those ports might help as well.

Also Cesar even if you have network, once someone is blocked, you can go into Zone Alarm and check out everything that was blocked. Just get the IP address of the person who was blocked and you can put it in Zone Alarms Trusted Zone. This is what I did at work so no one within our network is blocked."

to Brad Peterson,
first of all I need to thank you for the grc.com link , which solved my problem with that opeserv thing (such a wast of resources for a good programmer(s)!!!!).
Now I'm using a netbeui local network and everything looks fine (so far so good).
A suggestion to all useres...don't use the file sharing over the TCP/IC.. it's not safe.

Good luck

There is a 4th file associated with this virus, and it is PUT.INI located in your root directory. I ran the Norton tool, and it failed to remove this file. So I removed it manually. The virus is now gone for good.

That put.ini file was useful! It was your old win.ini file before the virus got to it. Well, sometimes its this way. I've seen where there's no put.ini file, where the put.ini file is on your c:\ and your win.ini file is still the same in your windows directory, and where the worm deletes almost all the content of your win.ini, but there's a full put.ini file, and finally, no put.ini file with an almost fully deleted win.ini file.

So to sum up, hopefully you're win.ini file wasn't trashed before you deleted that put.ini. If not, then you'll probably have to reinstall windows (to get fonts working again, along with printer drivers).

Brad Peterson
b_peterson@yahoo.com

Well, I've been through all the instructions to remove the Worm, and done them. But I found "Alevir.exe" in my C:/ root. When I try to delete it, I'm told I can't delete it because Windows is using it.

I also had a "Put.ini" and a 'temp.ini" that contained references to alevir and brazil files. I deleted them, as well. Since logging on this session Norton has caught two attacks, the "put.ini" and "temp.ini" files are back and a new file has appeared simply named "brasil".

AAARRGGHHHH!!!!!

mmb

Further to my previous message, I was able to go in and edit the win.ini file to take out the line that caused alevir.exe to be included in the run instruction. I could then delete Alevir. However, I'm still having the same problem and Norton is showing that "Scrsvr.exe" is infected, but it can't be removed or quarantined because it reports that Windows is using that file. I think until I can get it out of the system, I'm going to continue to have the problem. Anyone have any suggestions?

MMB