Educause Security Discussion mailing list archives

Re: info on the new worm ?

From: "Crawford, Charles D" <ccrawf () KU EDU>
Date: Tue, 17 Dec 2002 09:47:27 -0600

Here is what we have found out:

It's a new worm that attacks Win2k and WinXP machines via TCP port 445.
(Apparently) it establishes a null session via an unauthenticated system
share -- IPC$, maybe others --- that allows it to get a list of users and
groups.  Then it makes a brute force password attack on those accounts,
trying each of some 16 passwords in its little dictionary.  When it succeeds
in logging in it copies its code to the System32 folder as file
iraq_oil.exe, sets it to run via Task Scheduler, launches about 100 threads
generating random IPs and goes looking for other victims.  Reports are that
this can make a network very very busy.

Lioten's Password Dictionary

server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1
654321
123456
1234
123
111
root
admin

Charles Crawford
University of Kansas
IT Security Officer
(785)864-0491
ccrawf () ku edu


-----Original Message-----
From: Jim Moore [mailto:jhmfa () CIS RIT EDU]
Sent: Tuesday, December 17, 2002 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] info on the new worm ?


I haven't seen much info on the new worm circulating except for this.

- - - - Begin Included message - - - -
All,

Over the weekend we detected and completed analysis of what appears to be a
new Internet worm which we're calling IraqiWorm.

This worm utilizes Windows Null Sessions against Windows 2000 and XP systems
to enumerate user account names and group memberships..then it launches a
simple brute force dictionary attack against all discovered user names.  We
suspect the number of infected hosts is already in the thousands, and expect
many more infections as there are many hosts poorly secured against this
type of mechanized attack.

Full details are here:
http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htm


Regards,

Lawrence Baldwin
Chief Forensics Officer
myNetWatchman.com
Atlanta, GA
+1.678.624.0924

- - - End included message - - -
--
--
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Telephone: (585)475-5406
Fax:       (585)475-7950

PGP (jimmoore () mail rit edu): 9C33 0328 CD59 B602 82B8 8521 0DC9 963C D0C0

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

info on the new worm ? Jim Moore (Dec 17)
- <Possible follow-ups>
- Re: info on the new worm ? Crawford, Charles D (Dec 17)
- Re: info on the new worm ? Gate (Dec 17)