high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
More Information
W32/Lioten-A is a worm which spreads using network shares. The worm tries to identify badly-secured Windows 2000 and Windows XP computers on the internet, to copy itself onto these computers, and to send them commands to start running their own copy of the worm.
When W32/Lioten-A runs, it generates 100 random IP addresses and tries to connect to the Windows IPC$ share on each of these computers, using an anonymous account (no username or password). This sort of access is known as a "null session" or "unauthenticated" connection. The worm uses TCP port 445 (NetBIOS over TCP/IP) for this connection.
W32/Lioten-A then uses its null session connection to request a list of usernames from the potential victim computer. Unsecured Windows systems permit null sessions to be used for this purpose.
Armed with a list of usernames, W32-Lioten-A attempts to make an authenticated connection to the ADMIN$ and C$ shares. The worm tries out the following list of weak passwords for each user:
[blank password]
admin
root
111
123
1234
123456
654321
1
!@#$
asdf
asdfgh
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*
server
If any of the accounts can be "cracked" in this way, W32/Lioten-A copies itself to \WINNT\system32\iraq_oil.exe on the computer it is attacking. W32/Lioten-A then sets up a scheduled job on the remote computer which will run the newly-added file in a short while. If the account used by the worm has sufficient privilege to configure jobs remotely, this will cause the infected computer to attack 100 randomly-selected IP addresses in its turn.
Note that W32/Lioten-A:
- can neither run on nor break into Windows 95/98/Me computers;
- can run on but not break into Windows NT computers;
- can run on and break into Windows 2000 and Windows XP computers.
|
