Iraq Oil Worm Targeting TCP Port 445

On December 14, 2002 at 11:00 UTC the myNetWatchman system identified a worm-like surge in port scanning activity targeting TCP port 445. This port is associated with Microsoft’s networking protocol (Server Message Block – SMB) when used with Windows 2000 and XP systems.

The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:

  • Anonymous Null Sessions fully enabled
  • Weak (or null) passwords on privileged user accounts

Detailed analysis of the worm can be read from myNetWatchman.

OBrien, Brennan posted the following to the Incidents mailing list:
Apparently this has been identified as WORM_LIOTEN.A through TREND, W32.HLLW.Lioten via Symantec and W32/Lioten.worm via McAfee.

Internet Storm Center reports an increase in port 445 scans, which can be seen from their report located at:

Steve Friedl: “Iraq Oil” worm reverse engineering & analysis

Don't miss