virus : opaserv, opasoft .opaopa...
W32/Opaserv-A is a worm that spreads via network shares. When executed the worm will create a file called scrsvr.exe or alevir.exe in the Windows folder on the current drive. W32/Opaserv-A then adds one of the following registry entries to run itself when the system starts: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr = C:\WINDOWS\ScrSvr.exe or HKLM\Software\Microsoft\Windows\CurrentVersion\Run\alevir = C:\WINDOWS\alevir.exe The worm scans a range of IP addresses for the local area network searching for computers with an open C: share and NETBIOS enabled over TCP/IP. When a share is found the worm is copied to the Windows folder of that share and modifies the win.ini file so that the worm is executed the next time Windows is started on that computer. Once the local area network has been scanned the worm will start performing the same search on the internet starting at a randomly generated IP address. As a result anyone connected to the internet who has file sharing enabled and who enables NETBIOS over TCP/IP is potentially vulnerable to this worm. W32/Opaserv-A also attempts to connect to a website that is currently unavailable. This attempted connection is most likely intended as a means of updating the worm executable. The following three non-viral files may be found in the root folder of infected systems: tmp.ini scrsin.dat scrsout.dat theOS Paul Lacatus wrote: >Una dinre statiile din spatele unui proxy cu squid imi blocheaza masina >umplind partitia /var cu access.log cu urmatoarele linii : > >1060687666.424 2 192.168.1.27 TCP_MISS/503 1500 GET >http://www.n3t.com.br/work/sscheduler.php? - NONE/- text/html >1060687666.431 95 192.168.1.27 TCP_MISS/503 1383 GET >http://www.instituto.com.br/attackDoS.php? - NONE/- text/html >1060687666.431 4 192.168.1.27 TCP_MISS/503 1500 GET >http://www.n3t.com.br/work/sscheduler.php? - NONE/- text/html >1060687666.431 4 192.168.1.27 TCP_MISS/503 1501 GET >http://www.opasoft.com/work/scheduler.php? - NONE/- text/html >1060687666.437 2 192.168.1.27 TCP_MISS/503 1500 GET >http://www.n3t.com.br/work/sscheduler.php? - NONE/- text/html > >Ce dracu e pe masina respectiva? sa stiu ce caut? > >Paul > > > >--- >Detalii despre listele noastre de mail: http://www.lug.ro/ > > > > -- Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with [EMAIL PROTECTED] http://shopnow.netscape.com/ --- Detalii despre listele noastre de mail: http://www.lug.ro/
