
F - O P A S R V
---------------

The F-Opasrv utility disinfects computers infected with all known 
Opaserv (also known as Opasoft or Scrup) worm variants. The 
utility also removes worm's startup string after RUN= variable in 
WIN.INI file.

Disinfection procedure should be as follows:

1. Unpack the F-Opasrv utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Opasrv.exe file from a hard disk to 
eliminate Opaserv worm infection. You can run the utility by 
either doubleclicking on it from Windows Explorer or you can 
start it from a command interpreter (COMMAND.COM or CMD.EXE) by 
typing its name at command prompt and pressing 'Enter' (for 
advanced users).

First the F-Opasrv utility will kill Opaserv worm's processes in 
memory. Then the utility will scan your hard drive for infected 
files and delete them.

3. Reboot a system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will 
temporarily disable on-access scanner to be able to disinfect 
your system. After the utility completes disinfection, it enables 
on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

To protect computers and network from Opaserv worm it is 
recommended to install a firewall and to block Netbios ports 137 
and 139. Otherwise the worm might re-appear on a cleaned computer 
a few minutes after it's connected to Internet.

The utility clears the RUN= variable in WIN.INI file. If you have 
other programs that start themselves from that variable (usually 
old 16-bit programs), it is advised to backup your WIN.INI file 
before disinfection and then to transfer only your program's 
startup string to a cleaned WIN.INI file manually.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Opasrv utility might not 
disinfect the system correctly.

If Opaserv infection is in a network environment, then the 
network should be temporarily taken down before all workstations 
and servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Opaserv worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Opasrv utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'samples@f-secure.com' address.