Home > Virus > Worms > I-Worm.Lioten.A

Virus Name: I-Worm.Lioten.A

Aliases: W32/Lioten-A, W32/Lioten.worm, W32.Lioten.A, W32.HLLW.Lioten, Worm_Lioten.A, IraqiWorm, Iraq-Oil

The Lioten Worm identifies badly secured Windows 2000, .NET, and Windows XP computers on the Internet.  Once discovered, it tries to copy itself to them and then tries to run on them.

If successful, it next generates one hundred random I.P. addresses and then tries to connect to them using an anonymous account with no username or password.  This is known as an anonymous null session or unauthenticated connection.

Lioten uses the Server Message Block Service (SMB Service) at TCP Port 445 which is Net BIOS over TCP/IP for the connection, then requests the list of usernames, which is allowed in null sessions.  After that, it tries several default passwords to gain access like admin, root, [blank password], server, etcetera.

If it does gain access, it then places the program iraq_oil.exe into the System32 Directory and schedules itself to be run.  If it has enough privileges to do so, it then attacks one hundred more computers.  Because of this, Lioten can also cause a denial of service attack as the system’s resources are used up in an attempt to further spread the worm.

This Worm runs on and breaks Windows 2000 and XP computers, runs on but does not break Windows NT computers, and can’t run or break Windows 9x computers.  Although it can lead to a denial of service, the Lioten Worm is generally not considered destructive because that is not its goal.

Copyright (c) 2003, 2004, 2008  A. Ryan Robbins.  All Rights Reserved.