Iraq_Oil.exe Worm

Discussion in 'malware problems & news' started by EdBB, Dec 17, 2002.

Thread Status:
Not open for further replies.
  1. EdBB

    EdBB Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    24
    Good day:

    I have just learned on the GRC Security forum that a new worm is in the wild. I understand that it attacks through port 445.

    It seems to go by various names:

    Iraq_Oil.exe, Iraqi_oil.exe, W32.HLLW.Lioten, W32/Liotem.worm, WORM_LIOTEN.A

    I have added these names to my WG lockfile.txt file.

    HTH,

    Ed
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Hi edBB,

    Indeed it is. All major antiviruses do cover this one in the meanwhile - NOD32 included.

    Thanks for the heads up ;).

    regards.

    paul
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Hi Ran,

    Lawrence did a fine job here - as has Philip ;).

    regards.

    paul
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    This worm exploits the new flaw IPC and plays with port 445
    assocciated with M$ Network protocol on Win2k/XP

    To correct the flaw IPC in "null session"
    go to :
    HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\LSA
    Restrict Anonymous set value 2 instead of 0

    Other way : unactivate listening on port 445 :
    in the register :
    go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    and add Add this value
    Value : SmbDeviceEnabled
    Type : DWORD value (REG_DWORD)
    Content : 0

    You may apply both

    NB : it will correct the flaw, but not prevent installing the worms/virus :)

    Rgds,
     
  6. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_LIOTEN.A (Trend Micro)

    WORM_LIOTEN.A is a network worm that spreads to, and executes, only on systems running on Windows 2000/XP/.NET It randomly spreads to systems running on Windows 2000/XP/.NET using the Anonymous null session passwords exploit and the weak password brute force attack to gain write access to the shared resource \IPC$ (SMB service). After it has copied itself to target machines, it schedules tasks to execute its copy on these machines. You may obtain more information about this null session password by visiting Microsoft's Web site at: Differences in Default Security Settings

    Upon execution, this worm explicitly checks whether the system is running on Windows 2000/XP/.NET. Otherwise, it terminates immediately. If found, it then searches for the NETAPI32.DLL module and loads the DLL. If it fails to find or load the DLL, the worm terminates itself. It requires the module of the following API functions in order to spread successfully:

    • NetUserEnum
    • NetRemoteTOD
    • NetApiBufferFree
    • NetScheduleJobAdd

    The worm creates 100 threads and then sleeps for 4,294,967,295 milliseconds (approximately 50 days), waiting for the threads to finish. Each thread connects to random IP addresses, which are generated using the random function with the system tick count as the seed. If the connection to a random IP address is successful, the thread performs a DNS lookup of the corresponding hostname. The worm uses the name to connect to SMB service and tries to access the \IPC$ share.

    The worm uses the Anonymous null session passwords exploit on the target system to obtain a list of users' names. It uses the Application Program Interface (API) NetUserEnum to obtain a list of names. Then, it uses the following passwords as its weak password brute force attack to gain access to the remote share:

    [*]admin
    [*]root
    [*]111
    [*]123
    [*]1234
    [*]123456
    [*]654321
    [*]1
    [*]!@#$
    [*]asdf
    [*]asdfgh
    [*]!@#$%
    [*]!@#$%^
    [*]!@#$%^&
    [*]!@#$%^&*
    [*]server

    Once it has successfully logged and gained write access to the SMB share, it copies itself to these directories with the filename IRAQ_OIL.EXE filename:


    • $\winnt\system32\
    • \Admin$\system32\

    Then, it schedules itself to execute after 1 to 2 minutes have elapsed on the infected system.

    If you would like to scan your computer for WORM_LIOTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free online virus scanner at: http://housecall.trendmicro.com

    WORM_LIOTEN.A is detected and cleaned by Trend Micro pattern file #412 and above.
     
  7. TEL

    TEL Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    25
    Paul,

    Do you happen to know if avast 4 covers this one? o_O

    TEL

     
  8. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
     

    Attached Files:

  9. TEL

    TEL Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    25
    Technodrome,

    Nice screen shot; avast4 impresses! Thx :)

    Is there any downside to enabling: Do not allow anonymous enumeration of Sam accounts and shares in XP, which is a work around for this worm, isn't it?

    TEL
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.