W32/Lioten.A
Analysis
- Virus is 32 bit and has a compressed size of 16,896
bytes
- When executed, virus searches the network by implementing
instructions across available SMB client protocol,
seeking other client targets which may have shares
on IPC$ (typically Windows 2000/XP), C$ or Admin$
- Virus attempts to gain access to these systems
by attempting to guess passwords using a table of
names to try, in a “brute-force” method
– once virus gains access to the target, it
attempts to copy itself to these target systems as
“iraq_oil.exe”
- Virus then initiates a remote session of Task Scheduler
and creates a job to initiate the worm after a set
period of time within five minutes