Subscribe my articles from SELaplana:
Delivered by FeedBurner
 

Infected with SPEEDY.SCR virus

2 days ago, 5 of my computers were infected with an OPASERV virus. Virus installed on my computers activated at the same time, that Norton Antivirus intalled on those computers alert me at the same time.

Now, what I did inorder to get rid of it are the following:
  1. I opened the REGEDIT and search and delete all SPEEDY input on the registry.
  2. I opened the WIN.INI which is found in WINDOWS directory and delete the SPEEDY.SCR entry which is found under the WINDOWS category.
  3. I searched for the files with filename PANDA, PORDE, and SPEEDY and delete them.
  4. Restarted the computer.
After this procedure, I still found entries reposted on the REGISTRY and WIN.INI, I even found the SPEEDY.SCR file on the WINDOWS directory. But it is better than before since, this file has not been activated.

According to PANDA LABS, this virus spreads directly from the internet by looking for the computers to infect. It checks if port 137 is open and unprotected. If it is, Opaserv.Y gets into the computer through port 139 and copies itself in the C:\Windows directory under the name Speedy.scr.

At the same time, it generates several entries in the Windows Registry in order to ensure that it is run whenever the computer is started up. If the infected computer is connected to a network, Opaserv.Y will exploit the Windows vulnerability known as Share Level Password - based on an inconsistency in the protection of network shares in the operating systems Windows Me/98/95- in order to spread to the rest of the computers in the network.

UPDATES:

(1:50PM) I also discovered that this kind of virus drops files with filename begin with DC and followed by number, for example, dc004.scr. These files have SCR or PIF extensions.
Search Lyrics by Artists: 0-9 - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z