Security Incidents mailing list archives

RE: ALEVRIUS!

From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Thu, 6 Feb 2003 18:43:51 -0500

Geert Kiers wrote Thursday, February 06, 2003 13:39

Who or what is ALEVRIUS!


Host name used by Opaserv - there are also references to ALEVRIUS_ .

Is it related to ALEVIR or the Opaserv/Opasoft worm?


Google shows references back into 2002, but I saw nothing that specifies which variety of Opaserv it might be.

Now we run mainly NT servers and I get the sense that if it is ALEVIR that
our hosts may not get infected.  Still I am scanning our drives for
occurances of alevir, scrsvr, brasil, marco!, instit, mqbkup and mmstask.
In all cases hoping (or not) to find the .exe file which is supposed to be
the driver.  As a last thought, I also searched for alevrius.  All searches
were negative.

Couldn't you trace the source back by other traffic associated with its IP, then run fport and check win.ini and check
registry
"run" keys for the actual proggie?

NT is not completely immune AFAIK - it is just protected in its default configuration. It is immune from the worm's
password
cracking vector because NT doesn't have the bug that allows access to passworded shares via a single character. Also
Opaserv
typically looks for the "Windows" directory and fails to find what it wants on NT because a virgin install of NT
defaults to
"WINNT".

A C drive shared as "C" would still be vulnerable under NT if it did not have restrictive permissions. Other malware or
a user with
appropriate rights could share the C drive as "C". If a system was upgraded from another version of Windows to NT, the
default
windir can be Windows, opening the NT box up for infection. Shares created before the upgrade may also have carried
forward.

Once NT becomes infected, it will try to spread Opaserv the same as any other vulnerable OS.

I'm not up to speed on all the Opaserv varieties floating around. There have been so many variants, I assume there are
some
undiscovered or customized versions. There might be variants of Opaserv that correctly searches for %windir% instead of
the less
useful Windows directory.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

ALEVRIUS! Geert Kiers (Feb 06)
- RE: ALEVRIUS! Rob Shein (Feb 07)
- RE: ALEVRIUS! James C Slora Jr (Feb 07)
- RE: ALEVRIUS! NetSec Analyst (Feb 10)
- <Possible follow-ups>
- RE: ALEVRIUS! Anders Reed Mohn (Feb 07)
- RE: ALEVRIUS! Salisko, Rick (Feb 07)
- RE: ALEVRIUS! Anders Reed Mohn (Feb 11)