FRISK Software International


Summary of W32/Lioten
Alias:Iraq_oil, Datrix, W32.Lioten, I-Worm.Lioten, Lioten
Discovered: 17 Dec 2002
Definition files: 18 Dec 2002
Risk Level: Low
Distribution:Low
Infection Method:Uses Windows Server Message Block (SMB) service at a port 445
 
Jump to:
Brief description
Technical description

Brief Description
Lioten, also known as Iraq_Oil, is a Windows network worm spreading through shared folders. It was found on December 16th, 2002 in the wild.


Technical Description
Lioten does not spread through e-mail at all. Instead, it scans the internet for Windows 2000 and Windows XP machines which have shared folders with other users and are not protected by a firewall. Once a suitable machine is found, the worm guesses a password, logs in to the machine, copies itself over as an EXE file (usually named iraq_oil.exe) and executes it. After this the worm restarts spreading.

There is no further information on what the worm does in addition to spreading. Also the reason for the reference to Iraq is unclear.

The worm exploits the Windows Server Message Block (SMB) service at a port 445. Basic firewall techniques prevent access to this port.

The worm launches 100 threads each of which starts generating random IP numbers using the system clock to generate a seed value.

For every generated IP a connection is made to the port 445. If the connection is successful, it tries to list the list of users in the machine and tries to guess their password, using passwords from an hardcoded internal list which contains a blank password and the following words:

 admin
 root
 111
 123
 1234
 123456
 654321
 1
 !@#$
 asdf
 asdfgh
 !@#$%
 !@#$%^
 !@#$%^&
 !@#$%^&*
 server
These passwords are tried both in plain text and in Unicode.

If the file is copied successfully, a remote task is scheduled so that the process will be run on the remote machine.

The executable is packed with UPX.


[Analysis by Ero Carrera and Mikko Hypponen, F-Secure Corp., December 17th, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is