virus via email - OPASERV.E
Phil Schuman
I could tell something was not right because the activity
LED on my router was blinking like crazy.
So I fired up the protocol analyzer,
and saw my PC was trying to get to a site
called WWW.N3T.COM.BR -
then I searched on the Symantec site,
and yup - there it was -
So - how did I get it -
I use Eudora for ALL email, so no Outlook auto-infect probs.
we don't open attachments...we are not expecting
we don't have floppies
we don't.... do all the usual dumb things...
except - doing a manual virus scan vs an auto-protect :)
but I must have caught it somewhere along the line,
I just can't see where -
The only thing - has been some weird SPAM email -
Phil -
Art Kopp
<pschuma...@interserv.com> wrote:
>This morning I discovered I had the OPASERV.E virus -
>
>I could tell something was not right because the activity
>LED on my router was blinking like crazy.
>So I fired up the protocol analyzer,
>and saw my PC was trying to get to a site
>called WWW.N3T.COM.BR -
>then I searched on the Symantec site,
>and yup - there it was -
>
>So - how did I get it -
Open (or not sufficient password protection) shares?
Earl Felts
<pschuma...@interserv.com> wrote:
You probably got this via open shares in your network settings. For
info and cleaning instructions go to:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.E
Earl Felts
Phil Schuman
"Art Kopp" <art...@claymania.com> wrote in message >
> Open (or not sufficient password protection) shares?
> Art
> http://www.epix.net/~artnpeg
> art...@claymania.com
this is a SOHO -
checked all the other systems, nothing -
the C: drive is R/W protected anyway -
Phil -
Art Kopp
<pschuma...@interserv.com> wrote:
>> Open (or not sufficient password protection) shares?
>this is a SOHO -
WTF is a SOHO? :)
Stuart Brook
>
> On Fri, 20 Dec 2002 11:59:02 -0600, "Phil Schuman"
> <pschuma...@interserv.com> wrote:
>
> >> Open (or not sufficient password protection) shares?
>
> >this is a SOHO -
>
> WTF is a SOHO? :)
Small Office Home Office
Are you connected to broadband ? If so have you ensured that the
windoze file sharing protocols are not passed out through to the net ?
Ogden Johnson III
>"Phil Schuman" <pschuma...@interserv.com> wrote:
>>> Open (or not sufficient password protection) shares?
>>this is a SOHO -
>WTF is a SOHO? :)
Small Office/Home Office.
Been in common use for a decade, mebbe a decade-and-a-half.
OJ III
Art Kopp
Yes, I have DSL service with dynamic IP but I'm not on a LAN of any
kind. I've followed the unbinding procedure for Win 98 at Steve
Gibson's web site. I've found that all 64K of my internet ports are
normally closed. I use no firewall and have no problems.
Why do you ask?
Art Kopp
wrote:
And what relevance does it have to OPASERV ?
Ogden Johnson III
>Ogden Johnson III <o...@cpcug.org> wrote:
>>art...@claymania.com (Art Kopp) wrote:
>>>"Phil Schuman" <pschuma...@interserv.com> wrote:
>>>>> Open (or not sufficient password protection) shares?
>>>>this is a SOHO -
>>>WTF is a SOHO? :)
>>Small Office/Home Office.
>>
>>Been in common use for a decade, mebbe a decade-and-a-half.
>And what relevance does it have to OPASERV ?
Because in the context of your question on shares, Phil was trying to
tell you that it is a stand-alone system, not networked.
OJ III
Art Kopp
wrote:
>>And what relevance does it have to OPASERV ?
>
>Because in the context of your question on shares, Phil was trying to
>tell you that it is a stand-alone system, not networked.
Then why the router?
Gabriele Neukam
> Yes, I have DSL service with dynamic IP but I'm not on a LAN of any
> kind. I've followed the unbinding procedure for Win 98 at Steve
> Gibson's web site. I've found that all 64K of my internet ports are
> normally closed. I use no firewall and have no problems.
>
> Why do you ask?
Opaserv worms along DSL lines as well. It "asks" on port 135 (NetBIOS)
for attention, and if the share isn't safe enough, it sneaks in (if I
understood correctly, by the port 137 or 139, NetBIOS, too).
A password doesn't help much if your Windows isn't patched, because it
is only as good as a one-letter-password, due to a bug. The fix is to be
found here (I hope, but their site is under construction):
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
You better should not share c:\Windows, or anything below, and the same
is valid for C:\Programs. Both should be off limits for all executables
not solicited, like worms, trojan horses, or similar malware.
I have three directories that are shared. One is my download directory,
one is for things I want to transfer to the other machine (eg game save
files), which will be uploaded into this dir, and fetched from there.
The third one is a collection of cd images.
Neither of them is within the "path" variable (if you want to know what
this means, open your dos box and enter path, and you will be shown all
directories whcih are accessible without having to enter the path
first).
All are read-only, fixed with said patch. No way for opaserv to get in.
Gabriele Neukam
--
Whoever preaches war in the name of God, abuses religion.
Art Kopp
<Gabriel...@t-online.de> wrote:
>On that special day, Art Kopp, (art...@claymania.com) said...
>
>> Yes, I have DSL service with dynamic IP but I'm not on a LAN of any
>> kind. I've followed the unbinding procedure for Win 98 at Steve
>> Gibson's web site. I've found that all 64K of my internet ports are
>> normally closed. I use no firewall and have no problems.
>>
>> Why do you ask?
>
>Opaserv worms along DSL lines as well.
DSL versus dialup is irrelevant insofar as open shares are concerned.
Bart Bailey
> On Fri, 20 Dec 2002 15:44:33 -0500, Ogden Johnson III <o...@cpcug.org>
> wrote:
>
> >>And what relevance does it have to OPASERV ?
> >
> >Because in the context of your question on shares, Phil was trying to
> >tell you that it is a stand-alone system, not networked.
>
> Then why the router?
Part of the l33t mystique <g>
I think some people believe that using the firewall features of a router
is better than an OS based firewall.
If you aren't running a network, then a router isn't needed, and dropping
a packet before it gets into the box isn't any different than dropping it
afterwards, it's not like it leaves a sticky residue inside your computer
or something ;-)
Bart
Phil Schuman
>
> Art
ok folks - let's put our brains in gear :)
It's a SOHO -
Yes - it is networked
No - no other systems were impacted, or were the originators -
I mentioned it was a SOHO in case
you wanted to know if the virus could come from anywhere else
and if it was a stand alone system, or on a corp net with 500 others -
The router does not pass the MS ports - I blocked that -
I also run BlackIce on this machine to prevent port probing,
and also let me see who is attempting it - ala Code Red -
So - we are pretty much on top of things,
but this one got by us some how -
which gets me worried -
as the only thing this is used for
is really communicating via Eudora -
Phil -
FromTheRafters
"Phil Schuman" <pschuma...@interserv.com> wrote in message
news:au0lfn$okt$1...@bob.news.rcn.net...
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
Laura Fredericks
Hash: SHA1
On Fri, 20 Dec 2002 08:35:04 -0600, "Phil Schuman"
<pschuma...@interserv.com> wrote in post:
>This morning I discovered I had the OPASERV.E virus -
<snip>
>So - how did I get it -
> I use Eudora for ALL email, so no Outlook auto-infect probs.
In Eudora...
Tools ---> Options ---> Viewing Mail
Make sure "Use Microsoft's viewer" is UNchecked.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: Because I *can* be.
iQA/AwUBPgQHAKRseRzHUwOaEQKMVQCeJyu2rYGZpXrWEAe/DTFYuC5A7OAAn27I
/M3N9CDDJBm3Ca4AtS4nUzuT
=SndT
-----END PGP SIGNATURE-----
--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A
Remove CLOTHES to reply.
Fanman Uk
Do you have any imaging software installed on the machine which you
may have used recently, eg Goback, Diskimage or Drive Image.
I note that you do use MS outlook express 5.5. I have had infection
from the Opaserve virus on 5 occasions. When all attachments were
scanned they were clean. I suspect that the virus can be passed in
email or via newsgroups, although the AV sites report that this is not
the case. The only other way may be via a website if it attached to a
banner which is run offline. I have puzzled for days over this one :o(
Fanman Uk.
To reply by email remove the "fanman."
FromTheRafters
"Laura Fredericks" <anon...@CLOTHEShotmail.com> wrote in message
news:uu180v4aqhphdme4s...@4ax.com...
> On Fri, 20 Dec 2002 08:35:04 -0600, "Phil Schuman"
> <pschuma...@interserv.com> wrote in post:
> >This morning I discovered I had the OPASERV.E virus -
> <snip>
> >So - how did I get it -
> > I use Eudora for ALL email, so no Outlook auto-infect probs.
>
> In Eudora...
>
> Tools ---> Options ---> Viewing Mail
>
> Make sure "Use Microsoft's viewer" is UNchecked.
Good advice.
<troll>
But is opaserv an 'e-mail virus'?
</troll>
George Emsden
"Phil Schuman"
>SNIP<
So - we are pretty much on top of things,
> but this one got by us some how -
> which gets me worried -
> as the only thing this is used for
> is really communicating via Eudora -
>
> Phil -
>
be routed via their server which has its own AV system. This is supposed to
be safer (& quicker for updates) that having the AV software on your own PC
and getting regular updates and running regular scans.
>
>
>