The security software company F-Secure on Tuesday said it found a worm in the wild that spreads not through email or via Web links, but through Windows shared folders.
Lioten, also known as Iraq_Oil, scans the internet for Windows 2000 and Windows XP machines that are not protected by a firewall and have shared folders implemented, which allows multiple users to share files on one of the user’s systems.
Once such a machine is found, the worm guesses a password and logs in to the machine, F-Secure says. It then copies itself as an executable file (usually named iraq_oil.exe) and executes, thus launching a search for other machines to infect. The worm launches 100 threads, each of which starts generating random IP numbers.
“Lioten just spreads — there is no further payload,” says Mikko Hypponen, manager of anti-virus research for F-Secure, based in Finland. “It is quite a small virus.”
The worm exploits the Windows Server Message Block (SMB) service at a port 445, which can be blocked with basic firewall techniques.
F-Secure ranked Lioten at its second-most serious level, Level 2, defined as new virus causing large infection that might be local to a specific region.