My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.HLLW.Lioten.A

LOW
VERY LOW
17 KB (packed with UPX), 40 KB (unpacked)
(N/A)

Symptoms

- File iraq_oil.exe in C:\WinNT\System32 or ( is the Windows system directory )

Removal instructions:

- manual removal: delete the file "iraq_oil.exe" located in the folder "C:\WinNT\System32\" and/or your computer system folder
- automatic removal: let BitDef ender delete the files found infected with this worm

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm will run only on NT platforms: Windows NT 4, Windows 2000 or Windows XP, because it uses functions of the "netapi32.dll" library.
The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP on the network or on the Internet, and if succedes, it tries to copy itself to:
\\\\\\c$\winnt\system32\iraq_oil.exe or
\\\\\\Admin$\system32\iraq_oil.exe
It tries the following passwords in its connection attempts:
"" (no password)
"admin"
"root"
"111"
"123"
"1234"
"123456"
"654321"
"1"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"server"
After successfully copied to the destination, the worm tries to create a task schedule on the remote computer that would execute the worm executable after a few hours or even the next day, depending on the time zone of the victim's computer.