Iraq Oil Worm Targeting TCP Port 445
On December 14, 2002 at 11:00 UTC the myNetWatchman system identified a worm-like surge in port scanning activity targeting TCP port 445. This port is associated with Microsoft’s networking protocol (Server Message Block – SMB) when used with Windows 2000 and XP systems.
The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:
- Anonymous Null Sessions fully enabled
- Weak (or null) passwords on privileged user accounts
Detailed analysis of the worm can be read from myNetWatchman.
OBrien, Brennan posted the following to the Incidents mailing list:
Apparently this has been identified as WORM_LIOTEN.A through TREND, W32.HLLW.Lioten via Symantec and W32/Lioten.worm via McAfee.
Internet Storm Center reports an increase in port 445 scans, which can be seen from their report located at:
http://isc.incidents.org/port_details.html?port=445
Steve Friedl: “Iraq Oil” worm reverse engineering & analysis
http://www.unixwiz.net/iraqworm/