The Opaserv-A is a Win32 worm that will spread through network shares. A file called Scrsvr.Exe or Alevir.Exe will be created in the Windows subdirectory (folder) once the worm is executed.

• Run REGEDIT and delete the entries:
  
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ ScrSvr=C:\WINDOWS\ScrSvr.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ alevir=C:\WINDOWS\alevir.exe
  
  
• Then Click on 'Edit' (top bar). Click on 'Find'. Find and Delete any entry that contains these keywords:
  
  • Alevir*.*
  • Marco*.*
  • ScrSvr*.*
  • AleSout*.*
  
  
• For Windows 95, 98 or ME you will also have to edit WIN.INI. For Windows ME run "SYSEDIT" to edit WIN.INI.
  
  Type "Start" click "Run" and type:  EDIT C:\WINDOWS\WIN.INI
  Delete these lines:
  run= c:\ScrSvr.exe
  run= c:\temp.ini
  Save WIN.INI and Exit.
  
  
• Boot up with a clean DOS Diskette.
• Run VBUSTER.EXE : -
  • Press F1. Press S.
    Search for and Delete these files:
    c:\temp.ini
    Alevir*.*
    Marco*.*
    put.ini
  • Scan your harddisk using V-Buster.
    Delete all infected files.

Other Strains of the Opaserv Worm
Removal instructions of other strains of the Opaserv Worm are similar except that the active infected file in the Windows subdirectory has a different name. Follow the same instructions listed above but substitute the name of the file with the new name.

Return Home