[size=10pt][size=10pt][size=10pt]to je neki virus koji mi se nakacio na jednu masinu i ne znam sta cu sa njim.ima ga na par mesta ali ne  mogu skroz da izbrisem source fajl.zna li neko nesto vise o ovome/???


ovaj tekst sam pronasao na zone labs ali i kada sve izbrisem sto tamo pise opet se vrati.pomagajte[/size][/size][/size]


Virus Information powered by Computer Associates
Virus Name: Opaserv.AG
Pervasiveness:         
   3 of 5
Destructiveness:         
   2 of 5
Wildness:         
   2 of 5
Type: Worm
Aliases: [W32/]Opaserv.worm.gen (McAfee); [W32.]Opaserv.AD.Worm (Symantec); [Win32.]Opaserv.AG; [W32/]Opaserv.AE (Wildlist); [Win32/]Opaserv.P.Worm (InoculateIT); [W32/]Opaserv.worm.ac (McAfee); [Worm.]Win32.Opasoft.p (Kaspersky);
 
Date Modified: 15-Jan-2004
Date Published: 24-Sep-2003
 
Description:

Win32.Opaserv.AG is a worm which spreads through shared Windows drives.
Method of Installation

When executed, Win32.Opaserv.AG attempts to create a mutex (Mutual Exclusion Object) called <SpeedyDoS3!> in order to check if it is already running on the target machine. If this fails, Opaserv.AG exits. If this succeeds, it then copies itself to C:\Windows\SPEEDY.PIF and adds the following value to the registry so that this copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Spees3 = "C:\Windows\Speedy.pif"

It also creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpeedLent = "<Location of the source file>"

This value is set to the file from which the worm was originally run.

Opaserv then deletes the file that it was originally run from and the associated registry entry (above).

Opaserv.AG also creates the following files for storing data
C:\Windows\banda! and C:\Windows\podre!!
Method of Distribution
Via Network Shares

It attempts to copy itself across Windows Networking (SMB) networks by exploiting a very old vulnerability in the way Windows 95, 98, 98SE and ME machines verify network share passwords. In short, unpatched versions of these Operating Systems can be fooled into accepting just a single character password, regardless of how long a password is actually set on the share (so long as a password has been set). Microsoft shipped a patch to fix this vulnerability in October 2000. A brief description of the problem with links to the patch download locations and installation instructions is available from this Microsoft security bulletin:

http://www.microsoft.com/technet/security/bulletin/ms00-072.asp

All users of Windows 95, 98, 98SE and ME machines that have file and print sharing enabled should obtain and install that patch, as despite the rather weak recommendation the security bulletin gives its installation, it really should be considered a critical update. Exploit code, allowing remote password discovery against share-level passwords, has been available s ince around the time the vulnerability was first disclosed, but Opaserv is the first malware known to have exploited this weakness.

The share-level password vulnerability only affects the non-NT versions of Windows. Further, it only affects shares available via share-level access permissions - Windows 9 x and ME machines that are part of a domain and only employ user-level (or domain) access controls are not vulnerable to this exploit. Microsoft recommends "... that user-level access permissions be granted to shares rather than share level permissions based on passwords ".

Earlier reports of Opaserv's operation suggested that it spread through open shares (i.e. ones with no passwords) or shares with only very short, or one character, passwords. This is incorrect. Opaserv spreads by exploiting the share-level password vulnerability mentioned above, specifically trying to attach to the 'C' share (the default name of a share based at the root of the C: drive) of randomly selected IP addresses. If it can attach to such a share, it attempts to copy itself to c:\windows\speedy.bat on the share, creates the file c:\Toma!!!, and adds the following line to Win.ini on Windows 9x machines (so that it will run at the next Windows start):

Run=c:\windows\speedy.bat

Note: Even though this particular vulnerability does not affect NT-based Windows operating systems, (NT, 2000, XP), Opaserv will still successfully copy itself to these systems if it finds a share that meets the above criteria.

Failure to patch this vulnerabilty in Windows means that disinfecting a machine is only a very temporary fix so long as it remains attached to the network(s) from which it was initially infected. If access to Microsoft Networking ports cannot be blocked or otherwise hardened with a firewall or similar means and a Windows 9x or ME machine must be left on a hostile network, the patch absolutely must be applied or the machine will likely be re-infected in short measure.
Additional Information

The worm attempts to update itself from particular websites. At the time of writing, these sites were no longer available.

Analysis by Paul Taylor

stavi neki drugi AV program pa skeniraj sa njime,ako ga ne ne ukloni ostavice putanju do zarazenog fajla kojeg slobodno obrisi rucno

Idi u safe mod pa ondak skeniraj racunar!Uzmi neki bolji AV pa ga update-uj pa skeniraj mislim to je vec postala opste poznata stvarcica.Mislim da je bolje komp[ skenirati u safe modu zar ne?Belgarde

bolje skenirati u safe modu...hehe,pa pazi...i nije bas tako...safe mod se koristi vise kao radikalna metoda...

sve sam pokusao, skenirao sam sa antivirom, avastom, pandom, kasperskiim, bitdefenderom, cak i on line scan svih njih.
ad-aware ga pronadje i kao izbrise ali ne moze ni jedan da izbrise source.i kada ga izbrisem ne vraca se odmah vec posle dva ili tri dana.taj racunar je kasa u prodavnici, nema vezu sa internetom pa mi nije jasno  , cak nema ni cd-rom.

Okay, a da li si skenirao iz safe-moda? Pa čak i ako jesi, uradi to ponovo ali pre toga otvori Taskmanager i vidi koji procesi su aktivni. Onda jednostavno isključi sve one koji su ti sumnjivi, a ako neznaš koje napravi screenshot pa postuj.
U suštini nemožeš da pokvariš više nego što je sad - ja sam češće puta tako zatvarao proces po proces dok ne nađem koji mi blokira fajl. A kad nađem onda izbrišem i pif-fajl i proces i to direktno, bez nekog AV.
I što je isto važno - kad brišeš stisneš Shift i držiš ga stisnutog i onda Delete - tako fajlovi budu nepovratno izbrisani.