Virus Profile: W32/Lioten.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 12/16/2002
Date Added: 12/16/2002
Origin: Unknown
Length: 16,896 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4239
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of the file iraq_oil.exe
- Significant increase in SMB traffic

Methods of Infection

This worm copies itself to systems by targeting random IP addresses. It uses a "dictionary" attack to attempt to connect to common and default shares. Once a successful connection has been established, the worm copies itself to the SYSTEM32 folder and schedules a task to run the executable.

Aliases

W32.HLLW.Lioten (Symantec)
   

Virus Characteristics

Update 12/19/2002:

Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com

Update 12/17/2002:
This threat has an updated risk assessment of Low-Profiled due to the press article at New 'Iraq oil' network worm found .

This is a network share propagating worm. It exploits weak security configurations under Windows NT/2000/XP. It targets randomly generated IP Addresses, using SMB (port 445), and attempts to connect to responding systems using the IPC$, C$, or Admin$ share using the following passwords:
  • server
  • !@#$%^&*
  • !@#$%^&
  • !@#$%^
  • !@#$%
  • asdfgh
  • asdf
  • !@#$
  • 1
  • 654321
  • 123456
  • 1234
  • 123
  • 111
  • root
  • admin
Once sucessfully connected to a victim's system, the worm will copy itself to the SYSTEM32 directory as iraq_oil.exe
   
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations