The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:
- Anonymous Null Sessions fully enabled
- Weak (or null) passwords on privileged user accounts
OBrien, Brennan posted the following to the Incidents mailing list:
Apparently this has been identified as WORM_LIOTEN.A through TREND, W32.HLLW.Lioten via Symantec and W32/Lioten.worm via McAfee.
Internet Storm Center reports an increase in port 445 scans, which can be seen from their report located at:
Steve Friedl: "Iraq Oil" worm reverse engineering & analysis
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.