Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 020579.html (Request Expert securityfocus.com Support)

RE: ALEVRIUS!

From: Salisko, Rick <SaliskoR(at)ottawapolice.ca>
Date: Fri Feb 07 2003 - 14:29:24 EST


How about ALEVIRUS -- hundreds of links on Google on this one ... ?

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora@phra.com] Sent: Thursday, February 06, 2003 6:44 PM To: 'Geert Kiers'; incidents@securityfocus.com Subject: RE: ALEVRIUS!

Geert Kiers wrote Thursday, February 06, 2003 13:39

> Who or what is ALEVRIUS!

Host name used by Opaserv - there are also references to ALEVRIUS_ .

> Is it related to ALEVIR or the Opaserv/Opasoft worm?

Google shows references back into 2002, but I saw nothing that specifies which variety of Opaserv it might be.

> Now we run mainly NT servers and I get the sense that if it is ALEVIR that
searches
> were negative.

Do you need help?X

Couldn't you trace the source back by other traffic associated with its IP, then run fport and check win.ini and check registry "run" keys for the actual proggie?

NT is not completely immune AFAIK - it is just protected in its default configuration. It is immune from the worm's password cracking vector because NT doesn't have the bug that allows access to passworded shares via a single character. Also Opaserv typically looks for the "Windows" directory and fails to find what it wants on NT because a virgin install of NT defaults to "WINNT". A C drive shared as "C" would still be vulnerable under NT if it did not have restrictive permissions. Other malware or a user with appropriate rights could share the C drive as "C". If a system was upgraded from another version of Windows to NT, the default windir can be Windows, opening the NT box up for infection. Shares created before the upgrade may also have carried forward.

Once NT becomes infected, it will try to spread Opaserv the same as any other vulnerable OS.

I'm not up to speed on all the Opaserv varieties floating around. There have been so many variants, I assume there are some undiscovered or customized versions. There might be variants of Opaserv that correctly searches for %windir% instead of the less useful Windows directory.


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Feb 7 16:17:57 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:58 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library