The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:
- Anonymous Null Sessions fully enabled
- Weak (or null) passwords on privileged user accounts
OBrien, Brennan posted the following to the Incidents mailing list:
Apparently this has been identified as WORM_LIOTEN.A through TREND, W32.HLLW.Lioten via Symantec and W32/Lioten.worm via McAfee.
Internet Storm Center reports an increase in port 445 scans, which can be seen from their report located at:
Steve Friedl: "Iraq Oil" worm reverse engineering & analysis