Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
Worm.Win32.Opasoft.h, W32/Opaserv.worm, W95/Opaserv.worm.P, W32.Opaserv.J.W
Spreads over unprotected network resources, Backdoor function.
Spreads over unprotected network resources.
When activated, Worm/OpaSoft.J checks for 'Srv32Old' in the registry entry:
If present, the related file is deleted. If not, the worm checks for 'Srv32' in the registry entry:
If not present, the worm registers:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesA Srv32 C:\WinDIR\Srv32.exe
Then, it checks if the file C:\Windows\Srv32.exe has already been activated. If not, the worm is copied in this file and it registers:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices Srv32 C:\WinDIR\Srv32.exe
After controlling the registry and the place of its activity, the worm ensures that it has only one version in system memory, using a Mutex named Srv3231415.
The worm uses a security vulnerability of Microsoft Windows 95/98/Me. It sends single password characters to the network resource for accessing other Windows 95/98/Me files, without knowing the password.
The affected systems are:
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
It looks like the worm is able to update itself, reading files from a website.
It also tries to download a file named Sccss.
Worm/OpaSoft.J also has backdoor functions, that allow the attacker access to a computer. Thus, the worm opens a random TCP and UDP port for contacting the attacker.
Description inserted by Crony Walker on Tuesday, June 15, 2004