Virus Links and information

The purpose of this page is to disseminate current information about virus

Current Status - October 15, 2002 - Low Alert -

Name of the Virus: W32.Opaserv.Worm, Worm_Opasoft.A, W95/Scurmp.Worm Meduim Alert

Infects network shares
Attempts to make contact with a specific web site and download an executable from that specific site.
Worm also scans for the computer name and domain name of  machines connected to the network.  It then sends information to the download site.

Operating Systems Affected:

    Windows 95
    Windows 98
    Windows 2000
    Windows XP
Ways this virus spreads:
Network shares, not protected by a password.

W32.Opaserv.Worm is a network-aware worm which attempts to replicate across open network shares. It will copy itself to the file "scrsvr.exe" on the remote machine. This worm also attempts to download updates from, although the site may have already been shut down. Indicators of infection include:

The existence of scrsin.dat and scrsout.dat in the root directory of the c:drive indicating a local infection (worm was executed on the local machine)
The existence of tmp.ini in the root directory of the c: drive indicating aremote infection (infected by a remote host)

HKLM\Software\Microsoft\Windows\Current Version\Run contains a string value named ScrSvr or ScrSvrOld which is set to "c:\tmp.ini"

Removal instructions: Check the sites at the bottom of this page.


Name of the Virus:  W32.Bugbear@mm, Worm Bugbear_A       Medium Alert

Large scale mass mailer worm
Spoofs email addresses
Terminates some process used by AntiVirus and Personal Firewall software
Infects network shares
Drops a backdoor Trojan that can log passwords

Operating Systems Affected:

Windows 95
Windows 98
Windows 2000
Windows XP

Ways this virus spreads:   W32.Bugbear@mm is a mass-mailing worm. It can also spread through Network shares. It has backdoor capabilities.

Email Subject line may read:

                              Payment notices
                              Just a reminder
                             Correction of errors
                              history screen
                              I need help about script!!!
                              Please Help...
                              Membership Confirmation
                              Get a FREE gift!
                              Today Only
                              New Contests
                              Lost & Found
                              bad news
                              click on this!
                              Market Update Report
                              empty account
                              My eBay ads
                              25 merchants and rising
                              CALL FOR INFORMATION!
                              new reading
                              Sponsors needed
                              SCAM alert!!!
                              its easy
                              free shipping!
                              Daily Email Reminder
                              Tools For Your Online Business
                              New bonus in your cash account
                              Your Gift
                              $150 FREE Bonus!
                              Your News Alert
                              Get 8 FREE issues - no risk!
                              Confirmation of Recipes…

The email attachment may be one of these:

                              3 July 2002.doc.pif

Removal Instructions - Check the sites below, they will have the removal instructions.


                          Name of the Virus: Worm_Rodok.A, Henpek, W32/Fleming worm

                               This worm propagates via MSN Messenger
                               It updates itself by contacting a certain URL
                               Drops a backdoor

                          Are Definitions Available:  NO
                          Detection is available through:   Currently NAVCE will detect the
                          backdoor as Evilbot.
                          Detected using Virus Definitions dated:  Detect the backdoor Evilbot
                          using NAVCE virus definitions later than May 2002.

                         If you have been in contact with this worm contact the Virus CERT right away:
                         Operating Systems Affected:

                              Windows 95
                              Windows 98
                              Windows 2000
                              Windows XP
                         Ways this virus spreads:
                         This memory-resident worm propagates via MSN Messenger. It updates itself by
                         connecting to a certain URL. It also drops and executes a backdoor malware
                         detected Symantec as backdoor Evilbot

                         Infection Details:
                          This worm propagates via MSN Messenger. It is written in Visual Basic 6.0.
                          Upon execution, this worm displays a window with the following text strings:
                          Registry Settings
                          It checks for the following registry keys, adding them if they do not exist:
                          This worm opens MSN Messenger and sends out the message below to the
                          infected user's MSN contact list:
                          “Hey!! Could you please check out this program for me? :) I made it myself
                          and want people to test it. Its a readme with the program that explains what
                          it does!
                          http://home.<blocked>.net/downl0ad/BR2002.exe <-- There you can
                          download it! give me advices on what to upgrade please!!”
                          Recipients of the message are not automatically infected with the worm.
                          This happens when the recepient clicks the URL, which downloads the worm
                          and executes it in the system.
                          It then searches for updates of itself and displays this text message:
                          It automatically updates itself by connecting to this URL and downloads the
                          and saves it as:
                          CD Key Stealer
                          The worm checks the system registry keys and sends out certain values it
                          finds to an MSN user named
                          The message appears as:
                          <infected person>says:
                          I have loaded the ur CDKEY Generator 1.3! CS: <CS Key> HL: <HL Key>
                          *where <infected person> refers to the email address of the person whose
                          machine is currently being hacked by the worm.
                          <CS Key> is the data of the following registry value:
                          <HL Key> is the data of the following registry value:
                          Backdoor Component
                          From the same URL, the worm also obtains this file:
                          And saves it as the path and filename:
                          It also creates the file, WinUpdat.exeupdate.ur.address, in the Windows
                          folder. It then creates a registry entry so that the dropped file runs at every
                          Windows startup:
                          WinUpdat = "C:\%WINDOWS%\WinUpdat.exeupdate.ur.address"
                          Trend Micro detects WinUpdat.exeupdate.ur.address and hehe2397824.exe
                          both as BKDR_EVILBOT.A
                          Other Details
                          This worm runs in the background using a random process name. The
                          following text can be seen in its body:
                          I have loaded the ur CDKEY Generator 1.3!

                         Removal Instructions:
                         Identifying the Malware Program

                         Terminating the Malware Program
                         This procedure terminates the running malware process from memory. You will need
                         the name(s) of the file(s) detected earlier.

                            1.Open Windows Task Manager.
                              On Windows 9x/ME systems, press
                              On Windows NT/2000/XP systems, press
                              CTRL+SHIFT+ESC, and click the Processes tab.
                            2.In the list of running programs*, locate the malware file or files detected
                            3.Select one of the detected files, then press either the End Task or the End
                              Process button, depending on the version of Windows on your system.
                            4.Do the same for all detected malware files in the list of running processes.
                            5.Also in the list of running programs*, locate and end the process:
                            6.To check if the malware processes have been terminated, close Task
                              Manager, and then open it again.
                            7.Close Task Manager.

                         *NOTE: On systems running Windows 9x/ME, Task Manager may not show certain
                         processes. You may use a third party process viewer to terminate the malware
                         process. Otherwise, continue with the next procedure, noting additional
                         Removing Autostart Entries from the Registry
                         Removing autostart entries from the registry prevents the malware from executing
                         during startup.

                            1.Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press
                            2.In the left panel, double-click the following:
                            3.In the right panel, locate and delete the entry or entries:
                              WinUpdat = "C:\%WINDOWS%\WinUpdat.exeupdate.ur.address"
                              *Where %WINDOWS% is the Windows directory, which is usually C:\Windows
                              or C:\WINNT
                            4.Close Registry Editor

                         NOTE: If you were not able to terminate the malware process from memory as
                         described in the previous procedure, restart your system.  (this is also the Norton Antivirus page)

For Microsoft security patches

I make no warrantees about how good these sites are.

Back to snowedunder home