Lioten, also known as Iraq_Oil, is a Windows network worm spreading through
shared folders. It was found on December 16th, 2002 in the wild.
Lioten does not spread through e-mail at all. Instead, it scans the internet
for Windows 2000 and Windows XP machines which have shared folders with other
users and are not protected by a firewall. Once a suitable machine is found,
the worm guesses a password, logs in to the machine, copies itself over as
an EXE file (usually named iraq_oil.exe) and executes it. After this the
worm restarts spreading.
The reason for the reference to Iraq is unclear.
The worm exploits the Windows Server Message Block (SMB) service at a port 445.
Basic firewall techniques prevent access to this port.
The worm launches 100 threads each of which starts generating random
IP numbers using the system clock to generate a seed value.
For every generated IP a connection is made to the port 445. If the connection
is successful, it tries to list the list of users in the machine and tries to
guess their password, using passwords from an hardcoded internal list which
contains a blank password and the following words:
