Summary of W32/Lioten
|Alias:||Iraq_oil, Datrix, W32.Lioten, I-Worm.Lioten, Lioten|
||17 Dec 2002
||18 Dec 2002
|Infection Method:||Uses Windows Server Message Block (SMB) service at a port 445
|Lioten, also known as Iraq_Oil, is a Windows network worm spreading through shared folders. It was found on December 16th, 2002 in the wild.|
|Lioten does not spread through e-mail at all. Instead, it scans the internet for Windows 2000 and Windows XP machines which have shared folders with other users and are not protected by a firewall. Once a suitable machine is found, the worm guesses a password, logs in to the machine, copies itself over as an EXE file (usually named iraq_oil.exe) and executes it. After this the worm restarts spreading.
There is no further information on what the worm does in addition to spreading. Also the reason for the reference to Iraq is unclear.
The worm exploits the Windows Server Message Block (SMB) service at a port 445. Basic firewall techniques prevent access to this port.
The worm launches 100 threads each of which starts generating random IP numbers using the system clock to generate a seed value.
For every generated IP a connection is made to the port 445. If the connection is successful, it tries to list the list of users in the machine and tries to guess their password, using passwords from an hardcoded internal list which contains a blank password and the following words:
These passwords are tried both in plain text and in Unicode.
If the file is copied successfully, a remote task is scheduled so that the process will be run on the remote machine.
The executable is packed with UPX.
[Analysis by Ero Carrera and Mikko Hypponen, F-Secure Corp., December 17th, 2002]