Win32.HLLW.Lioten.A( N/A )
SYMPTOMS: - File iraq_oil.exe in C:\WinNT\System32 orTECHNICAL DESCRIPTION: The worm will run only on NT platforms: Windows NT 4, Windows 2000 or Windows XP, because it uses functions of the "netapi32.dll" library.The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP on the network or on the Internet, and if succedes, it tries to copy itself to: \\\\ \\\\ It tries the following passwords in its connection attempts: "" (no password) "admin" "root" "111" "123" "1234" "123456" "654321" "1" "!@#$" "asdf" "asdfgh" "!@#$%" "!@#$%^" "!@#$%^&" "!@#$%^&*" "server" After successfully copied to the destination, the worm tries to create a task schedule on the remote computer that would execute the worm executable after a few hours or even the next day, depending on the time zone of the victim's computer. Removal instructions: - manual removal: delete the file "iraq_oil.exe" located in the folder "C:\WinNT\System32\" and/or your computer system folder- automatic removal: let BitDef ender delete the files found infected with this worm ANALYZED BY: Mihai Neagu BitDefender Virus Researcher |
