How about ALEVIRUS -- hundreds of links on Google on this one ... ? -----Original Message----- From: James C Slora Jr [mailto:Jim.Sloraat_private] Sent: Thursday, February 06, 2003 6:44 PM To: 'Geert Kiers'; incidentsat_private Subject: RE: ALEVRIUS! Geert Kiers wrote Thursday, February 06, 2003 13:39 > Who or what is ALEVRIUS! Host name used by Opaserv - there are also references to ALEVRIUS_ . > Is it related to ALEVIR or the Opaserv/Opasoft worm? Google shows references back into 2002, but I saw nothing that specifies which variety of Opaserv it might be. > Now we run mainly NT servers and I get the sense that if it is ALEVIR that > our hosts may not get infected. Still I am scanning our drives for > occurances of alevir, scrsvr, brasil, marco!, instit, mqbkup and mmstask. > In all cases hoping (or not) to find the .exe file which is supposed to be > the driver. As a last thought, I also searched for alevrius. All searches > were negative. Couldn't you trace the source back by other traffic associated with its IP, then run fport and check win.ini and check registry "run" keys for the actual proggie? NT is not completely immune AFAIK - it is just protected in its default configuration. It is immune from the worm's password cracking vector because NT doesn't have the bug that allows access to passworded shares via a single character. Also Opaserv typically looks for the "Windows" directory and fails to find what it wants on NT because a virgin install of NT defaults to "WINNT". A C drive shared as "C" would still be vulnerable under NT if it did not have restrictive permissions. Other malware or a user with appropriate rights could share the C drive as "C". If a system was upgraded from another version of Windows to NT, the default windir can be Windows, opening the NT box up for infection. Shares created before the upgrade may also have carried forward. Once NT becomes infected, it will try to spread Opaserv the same as any other vulnerable OS. I'm not up to speed on all the Opaserv varieties floating around. There have been so many variants, I assume there are some undiscovered or customized versions. There might be variants of Opaserv that correctly searches for %windir% instead of the less useful Windows directory. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 13:10:38 PST