[Dshield] W32/Opaserv-D

Malcolm Warden malcolm.warden at virgin.net
Wed Nov 13 13:42:39 GMT 2002


Sophos AV came up with W32/Opaserv-D and W32/Opaserv-C on one workstation this 
morning. Running a full scan elsewhere gives me a clean bill of health but I'm 
uncertain on how the damn thing bit me in the first place and would appreciate 
some pointers.

Setup (normally)
Small family peer-to-peer network, 
    One W2000pro machine with ISDN running ICS, protected by Sophos and ZA Pro
    This machine also runs Mercury mail server but nothing else
    It checks as clean

    Another Machine (Win98se) - normally a client for ICS also with ZA Pro and 
    Sophos
    This machine has all WP data etc stored on the W2000 machine and runs Pegasus 
    mail etc etc from the W2000 machine.
    This is the PC with W32/Opaserv-D and C

Temporary Setup
    Motherboard failure on the W2000 machine on Saturday - so I temporarily placed 
    the W2000 PC data disks into an old desktop (also W2000) but did not restore 
    the ISDN connection to this PC. Instead, I started up an ISDN connection to the 
    PC that got the worm (but it still has ZA and Sophos so there should be no 
    difference?)

Analysis
    Only this one PC has the worm ( two files  
    C:\WINDOWS\scrsvr.exe and
    C:\WINDOWS\Brasil.exe )
    The registry and win.ini were untouched but it was trying to make an internet 
    connection without me understanding why.
    The other PCs have file sharing enabled but are untouched and have nothing in 
    the AV log.
    The infected PC has 'not shared' on the Windows directory (I only looked after 
    removing the virus so it's possible that Sophos changed that?)

Questions
    The Sophos site says 'anyone ... connected to the Internet who has file sharing 
    enabled and who enables NETBIOS over TCP/IP is potentially vunerable...' . 
    What  is netbios and is there something else I need to do to protect against 
    this?
    It seems that it got through my defences somehow but did not trigger - is this 
    correct?
    Is there somewhere I could look in the ZA log to spot the point of entry?
    Why do I need M$ QManager? It is blocked in ZA - but would this cause an 
    attempted dial-up before ZA said 'no' ?
    Should I be concerned about the following Registry entries (All 
    HKLM\Software......Current Version\Run )
    NvCp/Daemon		Rundll32.exe NvQTwk, NvCp/Daemon initialise
    NWiz				NWiz.exe / install
    LoadQM			(can I just blow this away?)

Any suggestions and pointers greatly appreciated.

Thanks

--
Malcolm Warden

[P] 01608 685592
[F] 01608 685595
[M] 07905 185406





More information about the list mailing list