RE: ALEVRIUS!

From: James C Slora Jr (Jim.Sloraat_private)
Date: Thu Feb 06 2003 - 15:43:51 PST

Next message: Rob Shein: "RE: email address probes"

Previous message: Andy Bastien: "Re: email address probes"
In reply to: Geert Kiers: "ALEVRIUS!"
Next in thread: Anders Reed Mohn: "RE: ALEVRIUS!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Geert Kiers wrote Thursday, February 06, 2003 13:39

> Who or what is ALEVRIUS!

Host name used by Opaserv - there are also references to ALEVRIUS_ .

> Is it related to ALEVIR or the Opaserv/Opasoft worm?

Google shows references back into 2002, but I saw nothing that specifies which variety of Opaserv it might be.

> Now we run mainly NT servers and I get the sense that if it is ALEVIR that
> our hosts may not get infected.  Still I am scanning our drives for
> occurances of alevir, scrsvr, brasil, marco!, instit, mqbkup and mmstask.
> In all cases hoping (or not) to find the .exe file which is supposed to be
> the driver.  As a last thought, I also searched for alevrius.  All searches
> were negative.

Couldn't you trace the source back by other traffic associated with its IP, then run fport and check win.ini and check registry
"run" keys for the actual proggie?

NT is not completely immune AFAIK - it is just protected in its default configuration. It is immune from the worm's password
cracking vector because NT doesn't have the bug that allows access to passworded shares via a single character. Also Opaserv
typically looks for the "Windows" directory and fails to find what it wants on NT because a virgin install of NT defaults to
"WINNT".

A C drive shared as "C" would still be vulnerable under NT if it did not have restrictive permissions. Other malware or a user with
appropriate rights could share the C drive as "C". If a system was upgraded from another version of Windows to NT, the default
windir can be Windows, opening the NT box up for infection. Shares created before the upgrade may also have carried forward.

Once NT becomes infected, it will try to spread Opaserv the same as any other vulnerable OS.

I'm not up to speed on all the Opaserv varieties floating around. There have been so many variants, I assume there are some
undiscovered or customized versions. There might be variants of Opaserv that correctly searches for %windir% instead of the less
useful Windows directory.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Shein: "RE: email address probes"
Previous message: Andy Bastien: "Re: email address probes"
In reply to: Geert Kiers: "ALEVRIUS!"
Next in thread: Anders Reed Mohn: "RE: ALEVRIUS!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 10:53:51 PST