RE: ALEVRIUS!

From: NetSec Analyst (infosec@digital-extreme.net)
Date: Fri Feb 07 2003 - 15:36:39 PST

Next message: Jeff Kell: "Kuang2 on the rise..."

Previous message: Salisko, Rick: "RE: ALEVRIUS!"
In reply to: Geert Kiers: "ALEVRIUS!"
Next in thread: Anders Reed Mohn: "RE: ALEVRIUS!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NetBIOS worms
Starting in 1999, numerous NetBIOS worms have been seen. These include
ExploreZip virus/worm, Network.VBS VisualBasic script, and the 911 worm
(which also calls 911 out your modem). All of these worms will attempt
connection to you machine. In late 2002, the ALEVRIUS worm is the source of
many of these queries in order to find names to connect to your machine
with.
http://www.robertgraham.com/pubs/firewall-seen.html


Thought I'd post this, just because.



-----Original Message-----
From: Geert Kiers [mailto:kwebat_private]
Sent: Thursday, February 06, 2003 1:39 PM
To: incidentsat_private
Subject: ALEVRIUS!


Greetings:

I'd rather just read the mail and not be a regular.  Too many auto
respondeers coming back at me say "I'm not in until such and such a time.
In case of emergency contact ....", each time I post but...  I have a
problem, I think.

Who or what is ALEVRIUS!

Is it related to ALEVIR or the Opaserv/Opasoft worm?

The reason I ask, we had a number of weird things happening on our little
network this morning so I decided to run MS Netmon and captue a while.
When I finished capturing I did a Find All Names.   and it discovered a new
one:

ALEVRIUS! [no transposition (sp?) error.  It is ALEVRIUS! with the
exclamation mark] associated with a specific ip address with a valid
appearing dynamic DNS name.

Now we run mainly NT servers and I get the sense that if it is ALEVIR that
our hosts may not get infected.  Still I am scanning our drives for
occurances of alevir, scrsvr, brasil, marco!, instit, mqbkup and mmstask.
In all cases hoping (or not) to find the .exe file which is supposed to be
the driver.  As a last thought, I also searched for alevrius.  All searches
were negative.

I did a search of online.securityfoucs.com/archives for both alevir and
alevrius! but found not match.  I assume, then. that this is either a new
topic or one of little importance.  Can anyone enlighten me?

Regards,

Geert

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeff Kell: "Kuang2 on the rise..."
Previous message: Salisko, Rick: "RE: ALEVRIUS!"
In reply to: Geert Kiers: "ALEVRIUS!"
Next in thread: Anders Reed Mohn: "RE: ALEVRIUS!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 08:37:39 PST