Iraqi oil worm on the loose

VIRUS BUSTERS HAVE WARNED of a new worm on the loose that may pose a threat to systems world-wide. And just to make sure it gets itself noticed, the worm wiggles about under the label IraqiWorm, or appears as Iraq_oil.exe.

The myNetWatchman system reports that on Monday it identified a "worm-like surge in port scanning activity targeting TCP port 445". This port is associated with Microsoft's networking protocol when used with Windows 2000 and XP systems.

The worm's only objective seems to be to propagate. The nightwatchmen say they have not seen any malcious beahviour from the web wriggler.

The site warns that the worm propagates by generating a "psuedo-random IP address" and exploiting hosts which have Anonymous Null Sessions fully enabled, or weak (or no)passwords on privileged user accounts. Windows 2000 and XP systems enable un-authenticated users to connect to a special system share known as IPC$.

By default, Null Sessions enable an unauthenticated user to get a list of valid user accounts and the groups that those users belong to. Access to such information greatly simplifies a brute force password attack against those user accounts, the site warns.

Most firewalls will prvent the worm from penetrating a system. The Wall-less can either disable Null Sessions or prevent enumeration of user accounts.

Antivirus vendor F-Secure Corp. lists the worm as a Level 2 threat, where Level 1 poses the gravest threat.

Here's the www.mynetwatchman.com site. µ