PCA Forums

Where the old farts gather
https://www.pcabusers.org/phpbb3/

Found a new virus atleast I've never heard of...

https://www.pcabusers.org/phpbb3/viewtopic.php?f=3&t=25069

Page 1 of 1

Found a new virus atleast I've never heard of...

Posted: Fri Feb 21, 2003 8:23 pm
by demonmonkey1234
I don't know all the details but my virus scan just picked up.... get this...

Item: Virus Name:
Iraq oil.exe W32.HLLW.Lioten

Just gettin the word out, it's nothing major I just found it in a routine virus scan.

Posted: Fri Feb 21, 2003 9:12 pm
by blade
http://securityresponse.symantec.com/av ... ioten.html

<i>W32.HLLW.Lioten is a simple worm that attempts to copy itself over Windows NT-based networks. The worm is written in the Visual C programming language and is packed with UPX.

When attempting to find machines to infect, it will query machines on port 445.


Also Known As: W32/Lioten.worm [McAfee], Win32.Lioten [CA], WORM_LIOTEN.A [Trend], W32/Lioten-A [Sophos], Worm.Win32.Lioten [KAV]

Type: Worm

Infection Length: 16,896 [UPX], 40,960

Systems Affected: Windows 2000, Windows XP

Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX, Linux </i>



Looks like a new one that will be changing names regularly. As always as it appears you have done, keep the av updated. :)



More info:

<i>When W32.HLLW.Lioten runs, it does the following:

It creates 100 threads and starts generating random IP addresses. The randomly generated IP address is one of the following, [0-255].[0-127].[0-255].[0-127]. Therefore, a machine with IP address, 172.155.21.56, would be immune to this threat due to the second digit being greater than 127. The same is also true if the last digit is greater than 127.

The worm tries to determine if an IP address is valid by querying the IP address on port 445.

Next, it tries to use these valid IP addresses to copy itself to other computers on the network as %system%\</i><font color=red><b>Iraq_oil.exe</b></font color>.

NOTE: %system% is a variable. The worm locates the System folder and copies itself to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The worm uses more than 12 different default passwords in its attempt to spread. Among these passwords are: admin, root, 111, 123, 1234, 123456, 654321, 1, !@#$, asdf, asdfgh, !@#$%, !@#$%^, !@#$%^&, !@#$%^&*, and server.

The worm uses the NetScheduleJobAdd function in netapi32 to run the worm at a specified time and date. This function requires that the scheduled service be started on the computer to which the job is submitted. As a result, Windows 95/98/Me systems are not affected because they do not support this functionality.

If there are many infected computers on a network, the worm could cause a Denial of Service because it is running in multiple threads and probing for new IP addresses to infect.

Win32.HLLW.Lioten.A

Posted: Sat Feb 22, 2003 7:36 pm
by Augix
Win32.HLLW.Lioten.A


Name: Win32.HLLW.Lioten.A
Aliases: N/A
Type: Executable, Worm
Size: 17 KB (packed with UPX), 40 KB (unpacked)
Discovered: December 18, 2002
Detected: December 18, 2002, 18:00 (GMT+2)
Spreading: Low
Damage: VeryLow
ITW: Yes
Symptoms:

- File iraq_oil.exe in C:\WinNT\System32 or <SystemDir> ( <SystemDir> is the Windows system directory )

Technical description:

The worm will run only on NT platforms: Windows NT 4, Windows 2000 or Windows XP, because it uses functions of the "netapi32.dll" library.

The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP on the network or on the Internet, and if succedes, it tries to copy itself to:

\\<IP_Address>\c$\winnt\system32\iraq_oil.exe or
\\<IP_Address>\Admin$\system32\iraq_oil.exe

It tries the following passwords in its connection attempts:

"" (no password)
"admin"
"root"
"111"
"123"
"1234"
"123456"
"654321"
"1"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"server"

After successfully copied to the destination, the worm tries to create a task schedule on the remote computer that would execute the worm executable after a few hours or even the next day, depending on the time zone of the victim's computer.

Removal:

- manual removal: delete the file "iraq_oil.exe" located in the folder "C:\WinNT\System32" and/or your computer system folder
- automatic removal: let BitDef ender delete the files found infected with this worm
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited