McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Lioten (Symantec)

Characteristics

Update 12/19/2002:

Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com

Update 12/17/2002:
This threat has an updated risk assessment of Low-Profiled due to the press article at New 'Iraq oil' network worm found .

This is a network share propagating worm. It exploits weak security configurations under Windows NT/2000/XP. It targets randomly generated IP Addresses, using SMB (port 445), and attempts to connect to responding systems using the IPC$, C$, or Admin$ share using the following passwords:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 1
• 654321
• 123456
• 1234
• 123
• 111
• root
• admin

Once sucessfully connected to a victim's system, the worm will copy itself to the SYSTEM32 directory as iraq_oil.exe

Symptoms

- Presence of the file iraq_oil.exe
- Significant increase in SMB traffic

Method of Infection

This worm copies itself to systems by targeting random IP addresses. It uses a "dictionary" attack to attempt to connect to common and default shares. Once a successful connection has been established, the worm copies itself to the SYSTEM32 folder and schedules a task to run the executable.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Lioten (Symantec)

Characteristics

Characteristics -

Update 12/19/2002:

Due to the late appearance of this virus and the extra quality assurance testing required, AVERT decided to include it in the next (4239) weekly DAT update. Unfortunately, this information did not make it into the readme.txt file. If you would like an extra.dat for this threat, please write to extradat@avertlabs.com

Update 12/17/2002:
This threat has an updated risk assessment of Low-Profiled due to the press article at New 'Iraq oil' network worm found .

This is a network share propagating worm. It exploits weak security configurations under Windows NT/2000/XP. It targets randomly generated IP Addresses, using SMB (port 445), and attempts to connect to responding systems using the IPC$, C$, or Admin$ share using the following passwords:

• server
• !@#$%^&*
• !@#$%^&
• !@#$%^
• !@#$%
• asdfgh
• asdf
• !@#$
• 1
• 654321
• 123456
• 1234
• 123
• 111
• root
• admin

Once sucessfully connected to a victim's system, the worm will copy itself to the SYSTEM32 directory as iraq_oil.exe

Symptoms

Symptoms -

- Presence of the file iraq_oil.exe
- Significant increase in SMB traffic

Method of Infection

Method of Infection -

This worm copies itself to systems by targeting random IP addresses. It uses a "dictionary" attack to attempt to connect to common and default shares. Once a successful connection has been established, the worm copies itself to the SYSTEM32 folder and schedules a task to run the executable.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A