Security Incidents mailing list archives

RE: ALEVRIUS!

From: "Salisko, Rick" <SaliskoR () ottawapolice ca>
Date: Fri, 7 Feb 2003 14:29:24 -0500

How about ALEVIRUS  -- hundreds of links on Google on this one ... ?

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora () phra com]
Sent: Thursday, February 06, 2003 6:44 PM
To: 'Geert Kiers'; incidents () securityfocus com
Subject: RE: ALEVRIUS!


Geert Kiers wrote Thursday, February 06, 2003 13:39

Who or what is ALEVRIUS!


Host name used by Opaserv - there are also references to ALEVRIUS_ .

Is it related to ALEVIR or the Opaserv/Opasoft worm?


Google shows references back into 2002, but I saw nothing that specifies
which variety of Opaserv it might be.

Now we run mainly NT servers and I get the sense that if it is ALEVIR that
our hosts may not get infected.  Still I am scanning our drives for
occurances of alevir, scrsvr, brasil, marco!, instit, mqbkup and mmstask.
In all cases hoping (or not) to find the .exe file which is supposed to be
the driver.  As a last thought, I also searched for alevrius.  All

searches

were negative.


Couldn't you trace the source back by other traffic associated with its IP,
then run fport and check win.ini and check registry
"run" keys for the actual proggie?

NT is not completely immune AFAIK - it is just protected in its default
configuration. It is immune from the worm's password
cracking vector because NT doesn't have the bug that allows access to
passworded shares via a single character. Also Opaserv
typically looks for the "Windows" directory and fails to find what it wants
on NT because a virgin install of NT defaults to
"WINNT".

A C drive shared as "C" would still be vulnerable under NT if it did not
have restrictive permissions. Other malware or a user with
appropriate rights could share the C drive as "C". If a system was upgraded
from another version of Windows to NT, the default
windir can be Windows, opening the NT box up for infection. Shares created
before the upgrade may also have carried forward.

Once NT becomes infected, it will try to spread Opaserv the same as any
other vulnerable OS.

I'm not up to speed on all the Opaserv varieties floating around. There have
been so many variants, I assume there are some
undiscovered or customized versions. There might be variants of Opaserv that
correctly searches for %windir% instead of the less
useful Windows directory.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

ALEVRIUS! Geert Kiers (Feb 06)
- RE: ALEVRIUS! Rob Shein (Feb 07)
- RE: ALEVRIUS! James C Slora Jr (Feb 07)
- RE: ALEVRIUS! NetSec Analyst (Feb 10)
- <Possible follow-ups>
- RE: ALEVRIUS! Anders Reed Mohn (Feb 07)
- RE: ALEVRIUS! Salisko, Rick (Feb 07)
- RE: ALEVRIUS! Anders Reed Mohn (Feb 11)