Win32.Lioten Family (Ca.com)
Win32.Lioten Family (Ca.com)
Description Published: 2005. április 5.
Description Modified: 2005. április 5.
Threat Assessment
Overall Risk: Low
Wild: Medium
Destructiveness: Medium
Pervasiveness: Medium
Characteristics
Type : Worm
Category : Win32
Description
Win32.Lioten is a family of worms that spread via network shares. Early variants spread via network shares only, and had no payload, but modern variants can also spread by exploiting Windows vulnerabilities and act as IRC controlled backdoors. Lioten worms are often found packaged with variants of Win32.Ranck trojan.
Method of Infection
Typically, a Lioten variant copies itself to the %System% directory, and adds a value to one or more of the following registry keys so it is automatically run each time Windows starts:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
For example:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunMatire = ˝Fonosog.exe˝
The worm usually also creates a mutex to avoid running multiple copies of itself at the same time.
Method of Distribution
Via Network Shares (Ports: 445, 135, 139)
All variants of Lioten are able to spread via Windows file sharing. The worm randomly selects IP addresses and attempts to connect to each on TCP port 445, 135, or 139. The target addresses may be completely random, or generated based on a list inside the worm. They may also be provided through commands to the IRC backdoor (see Payload section for further detail).
If successful, it tries to connect to the default IPC$ network share to obtain a user account list from the remote machine. It uses these accounts along with a primitive password dictionary attack to gain access to the default Admin$ or C$ share. The password dictionary varies with each worm variant; the following are some common examples:
password
passwd
pass
pwd
password1
pass1234
administrator
admin
If it is able to copy itself, the worm then remotely adds a scheduled job on the target system to run this copy.
Via Exploits (Ports: 135, 445, 1025)
Some Lioten variants can also spread by exploiting vulnerabilities in Windows operating systems. If the worm successfully exploits one of these vulnerabilities, it executes a small amount of code on the target machine, which instructs it to connect back to the source in order to retrieve the complete worm executable.
This is a list of known vulnerabilities that Lioten variants may exploit:
1. Microsoft Windows LSASS buffer overflow vulnerability (TCP port 445)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
2. Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx (supersedes original bulletin MS03-026)
3. Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Payload
Backdoor Functionality
Most Lioten variants contain IRC ˝bot˝ functionality, often based on code from Win32.Sdbot. This enables the worm to act as a backdoor. It connects to an IRC server and joins a channel; it then acts as an IRC bot, waiting for instructions from the channel. Lioten supports similar commands to most Sdbot variants, and often has commands to trigger spreading as well. Other backdoor functions supported include:
* Performing Denial of Service attacks (UDP, ICMP and SYN flooding)
* Killing processes and threads
* Downloading files
* Executing programs
* Updating itself
The worm makes outgoing connections to IRC servers on varying ports. As with legitimate IRC programs, it may listen on port 113: this is required by some IRC servers for authentication purposes.
Analysis by Hamish O´Dea
More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=42309
Computer Associates – the Trusted Source of Security Knowledge
Back
- Microsoft revamps Bing to include interactive social sidebar
The three-column interface also includes a ´snapshot´ for more direct interaction with products and places.
- Adobe Creative Cloud Now Available
Two New Touch Apps for iOS and Adobe Muse Also Shipping
- Acer G6 series - Super-slim design, inspiring performance
- Come Explore the VIA Smart Ecosystem at Computex 2012
- HP tries to beat ultrabook pricing with thin-and-light Sleekbooks
- MasterCard´s PayPass Wallet will span online, mobile, in-store shopping
- Google infringed Java copyrights in Android, jury finds
- After false alarm, no verdict Friday in Oracle Google
- Lenovo building industrial center to develop tablets, smartphones
- Facebook´s valuation for IPO will be lower than initially expected
Member of IVSZ
Member of SZEK
Acer Affinity Gold partner
Dell Registered Partner
OKI System Shinrai Partner
XEROX Viszonteladó
APC megbízható szállító
EATON Authorized Partner
Cisco partner
Symantec Software Partner
ESET Partner
FUJITSU partner
LENOVO Premium Partner
IBM Business Partner
PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel