malcolm.warden at virgin.net
Wed Nov 13 13:42:39 GMT 2002
Sophos AV came up with W32/Opaserv-D and W32/Opaserv-C on one workstation this
morning. Running a full scan elsewhere gives me a clean bill of health but I'm
uncertain on how the damn thing bit me in the first place and would appreciate
Small family peer-to-peer network,
One W2000pro machine with ISDN running ICS, protected by Sophos and ZA Pro
This machine also runs Mercury mail server but nothing else
It checks as clean
Another Machine (Win98se) - normally a client for ICS also with ZA Pro and
This machine has all WP data etc stored on the W2000 machine and runs Pegasus
mail etc etc from the W2000 machine.
This is the PC with W32/Opaserv-D and C
Motherboard failure on the W2000 machine on Saturday - so I temporarily placed
the W2000 PC data disks into an old desktop (also W2000) but did not restore
the ISDN connection to this PC. Instead, I started up an ISDN connection to the
PC that got the worm (but it still has ZA and Sophos so there should be no
Only this one PC has the worm ( two files
The registry and win.ini were untouched but it was trying to make an internet
connection without me understanding why.
The other PCs have file sharing enabled but are untouched and have nothing in
the AV log.
The infected PC has 'not shared' on the Windows directory (I only looked after
removing the virus so it's possible that Sophos changed that?)
The Sophos site says 'anyone ... connected to the Internet who has file sharing
enabled and who enables NETBIOS over TCP/IP is potentially vunerable...' .
What is netbios and is there something else I need to do to protect against
It seems that it got through my defences somehow but did not trigger - is this
Is there somewhere I could look in the ZA log to spot the point of entry?
Why do I need M$ QManager? It is blocked in ZA - but would this cause an
attempted dial-up before ZA said 'no' ?
Should I be concerned about the following Registry entries (All
HKLM\Software......Current Version\Run )
NvCp/Daemon Rundll32.exe NvQTwk, NvCp/Daemon initialise
NWiz NWiz.exe / install
LoadQM (can I just blow this away?)
Any suggestions and pointers greatly appreciated.
[P] 01608 685592
[F] 01608 685595
[M] 07905 185406
More information about the list