Iraq_Oil.exe Worm

Good day:

I have just learned on the GRC Security forum that a new worm is in the wild. I understand that it attacks through port 445.

It seems to go by various names:

Iraq_Oil.exe, Iraqi_oil.exe, W32.HLLW.Lioten, W32/Liotem.worm, WORM_LIOTEN.A

I have added these names to my WG lockfile.txt file.

HTH,

Ed

 

Check out NetWatchMan's thread at dslreports:
mNW Alert: 'IraqWorm' propagating via tcp/445

 

Hi,

This worm exploits the new flaw IPC and plays with port 445
assocciated with M$ Network protocol on Win2k/XP

To correct the flaw IPC in "null session"
go to :
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\LSA
Restrict Anonymous set value 2 instead of 0

Other way : unactivate listening on port 445 :
in the register :
go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
and add Add this value
Value : SmbDeviceEnabled
Type : DWORD value (REG_DWORD)
Content : 0

You may apply both

NB : it will correct the flaw, but not prevent installing the worms/virus

Rgds,

 

WORM_LIOTEN.A (Trend Micro)

WORM_LIOTEN.A is a network worm that spreads to, and executes, only on systems running on Windows 2000/XP/.NET It randomly spreads to systems running on Windows 2000/XP/.NET using the Anonymous null session passwords exploit and the weak password brute force attack to gain write access to the shared resource \IPC$ (SMB service). After it has copied itself to target machines, it schedules tasks to execute its copy on these machines. You may obtain more information about this null session password by visiting Microsoft's Web site at: Differences in Default Security Settings

Upon execution, this worm explicitly checks whether the system is running on Windows 2000/XP/.NET. Otherwise, it terminates immediately. If found, it then searches for the NETAPI32.DLL module and loads the DLL. If it fails to find or load the DLL, the worm terminates itself. It requires the module of the following API functions in order to spread successfully:

• NetUserEnum
• NetRemoteTOD
• NetApiBufferFree
• NetScheduleJobAdd

The worm creates 100 threads and then sleeps for 4,294,967,295 milliseconds (approximately 50 days), waiting for the threads to finish. Each thread connects to random IP addresses, which are generated using the random function with the system tick count as the seed. If the connection to a random IP address is successful, the thread performs a DNS lookup of the corresponding hostname. The worm uses the name to connect to SMB service and tries to access the \IPC$ share.

The worm uses the Anonymous null session passwords exploit on the target system to obtain a list of users' names. It uses the Application Program Interface (API) NetUserEnum to obtain a list of names. Then, it uses the following passwords as its weak password brute force attack to gain access to the remote share:

[*]admin
[*]root
[*]111
[*]123
[*]1234
[*]123456
[*]654321
[*]1
[*]!@#$
[*]asdf
[*]asdfgh
[*]!@#$%
[*]!@#$%^
[*]!@#$%^&
[*]!@#$%^&*
[*]server

Once it has successfully logged and gained write access to the SMB share, it copies itself to these directories with the filename IRAQ_OIL.EXE filename:

• 
  $\winnt\system32\
• \Admin$\system32\

Then, it schedules itself to execute after 1 to 2 minutes have elapsed on the infected system.

If you would like to scan your computer for WORM_LIOTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com

WORM_LIOTEN.A is detected and cleaned by Trend Micro pattern file #412 and above.

 

Paul,

Do you happen to know if avast 4 covers this one?

TEL

 

Technodrome,

Nice screen shot; avast4 impresses! Thx

Is there any downside to enabling: Do not allow anonymous enumeration of Sam accounts and shares in XP, which is a work around for this worm, isn't it?

TEL