Leading antivirus software makers have warned that the "Opasoft", "W32/Opasoft" or "Opaserv" virus, which emerged last week, takes advantage of a common Windows application program interface (API) and loose security practices to spread over local and wide-area networks. The worm's file name, Scrsvr.exe, misleads users into clicking on it because they think it is a screensaver.
Unlike other worms that spread from computer to computer over the Internet by way of infected e-mail messages, Opasoft takes advantage of the Network Basic Input/Output System (NETBIOS), an API containing functions used to send and receive data over Microsoft networks.
Once it hits a machine, Opasoft scans the infected computer's network for other machines to attack. When a vulnerable machine is located, the worm checks to see if the C: drive of that machine has been shared with other network computers and can be accessed.
If it can access the C: drive, Opasoft places a copy of itself on that machine, then alters the win.ini file so that the worm is run the next time the machine is restarted.
If the shared directory on the computer is password protected, the Opasoft worm will attempt to enter that folder by trying single-character passwords.
Offices are especially vulnerable if passwords have not been established to protect access to shared directories on the network, according to a statement by security company Kaspersky Labs. Kaspersky has said that 40% of all cases its technical support is dealing with are connected to Opasoft, a figure exceeding even those of other dangers worms such as Klez and Tanatos.
It is not known whether the Opasoft worm damages any files on the machines it infects, but it did open a back door from the machine to a Web site, www.opasoft.com, from which updated versions of the worm and other script files were being downloaded. The Web site has now been taken down.