[Gloucs] I-WORM/Opas.A

bjh gloucs at mailman.lug.org.uk
Mon Dec 30 23:20:00 2002 

Thanks for the response Adam... the networking is on of the triggers for
this one - it looks as if the virus can stay dormant until it actually gets
an opportunity via a network to start its attack... That is what happened to
us, the action to network the two computers was the trigger...

If you read right through the message threads on the link I put in the
original message you will see what I mean, a full
system clean and elimination of the win.ini files concerned was
insufficient...

The only way we stabilised the problem was to remove all network connections
and drivers, do a full system clean in DOS, making sure that the win.ini
trigger line was then eliminated and put ZoneAlarm on the system before
going back on the net...

A charming little worm... (smile)


----- Original Message -----
From: "Adam Langley" <agl@imperialviolet.org>
To: <gloucs@mailman.lug.org.uk>
Sent: Monday, December 30, 2002 10:37 PM
Subject: Re: [Gloucs] meetings and website


> On Mon, Dec 30, 2002 at 10:23:38PM -0000, bjh wrote:
> > The current problem (international) is: I-WORM/Opas.A , and a full
listing
> > of the problem and attempts to find a solution is to be found at
> > http://www.computing.net/security/wwwboard/forum/3197.html , please
click on
> > the link and follow the threads...
> >
> > This is a pretty nasty Virus that is affecting networked systems and is
> > refusing to be killed off despite the efforts of many virus experts...
as
> > fast as you clean it out of the system when you next click on to the
> > internet what does it do - it searches for the original computer it got
the
> > virus from and drags it back into your system again!!!
>
> Which means it was never cleaned off in the first place. A virus can only
> infect if you run it - simply being on a network (wireless or otherwise)
is
> not sufficient. The only way that a virus can `attack' over a network is
by
> exploiting an overflow in Windows and I haven't heard of anything that
> dangerous in quite a while.
>
> --
> Adam Langley                                      agl@imperialviolet.org
> http://www.imperialviolet.org                       (+44) (0)7986 296753
> PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60
>
> _______________________________________________
> gloucs mailing list
> gloucs@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/gloucs
>