Worm Spreads Without Help From Email, Web

The security software company F-Secure on Tuesday said it found a worm in the wild that spreads not through email or via Web links, but through Windows shared folders.

Lioten, also known as Iraq_Oil, scans the internet for Windows 2000 and Windows XP machines that are not protected by a firewall and have shared folders implemented, which allows multiple users to share files on one of the user's systems.

Once such a machine is found, the worm guesses a password and logs in to the machine, F-Secure says. It then copies itself as an executable file (usually named iraq_oil.exe) and executes, thus launching a search for other machines to infect. The worm launches 100 threads, each of which starts generating random IP numbers.

"Lioten just spreads -- there is no further payload," says Mikko Hypponen, manager of anti-virus research for F-Secure, based in Finland. "It is quite a small virus."

The worm exploits the Windows Server Message Block (SMB) service at a port 445, which can be blocked with basic firewall techniques.

F-Secure ranked Lioten at its second-most serious level, Level 2, defined as new virus causing large infection that might be local to a specific region.