Description
Win32.HLLW.Opasoft is a worm virus program. It affects computers under Windows 95/98/ME operating systems only.
Spreading
The worm propagates through shared drives. Initially, the worm scans the system for the following registry entry:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\
ScrSvrOld = [Windows folder]\\Desktop\\SCRSVR.EXE.
If such entry is found the worm deletes the file [Windows folder]\\Desktop\\SCRSVR.EXE.
Then it checks the same registry entry for the value ScrSvr and in case it is not found it copies itself to the Windows StartUp folder as ScrSvr.exe.
Action
To secure its automatic execution at every system start up it adds the value ScrSvr = %Windows%\\ScrSvr.exe to the registry entry
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\. The same procedure is done by the worm at all shared C:\\ drives. The worm modifies the win.ini file in the Windows folder to secure its launching at them.
Having fulfilled the procedure the worm creates in the system a mutex named ScrSvr31415.
Having hit the system the worm tries to establish connection with www.opasoft.com and to download its plug-in – a file named scrupd.exe.
