 woodwardXMission BroadbandVIP
join:2000-12-28
Salt Lake City, UT | iraq_oil.exe ? A co-worker of mine found something named "iraq_oil.exe" running on his Windows 2000 machine over the weekend. After killing it off, he found the executable in his Win32 folder. He re-ran his virus scanner (Norton with latest definitions) and just for good measure ran Ad-Aware and Spybot. None of the three recognized it as a problem. He deleted it.
It may be nothing, but it sounds highly suspicious. What's more, he doesn't read email on this machine, and browses with it very little. In short, he has no idea what it was or where it came from. He has *not* yet installed the most recent security patch, but does have SP 2.
Does this sound familiar to anyone? I can find nothing on any security site. |
|
|
|
 corsterPremium
join:2002-02-23
Gatineau, QC | I heard of it.. it's the Pentagone Virus |
|
 djaThe 'd' is silent ... unlike the member.Premium
join:2002-03-25
Niagara | reply to woodward
Has he checked the properties of the file? Google turns up nothing by that name. |
|
pslossPremium
join:2002-02-24
Alpharetta, GA
| reply to woodward
Re: iraq_oil.exe ? said by woodward:
A co-worker of mine found something named "iraq_oil.exe" running on his Windows 2000 machine over the weekend. After killing it off, he found the executable in his Win32 folder. He re-ran his virus scanner (Norton with latest definitions) and just for good measure ran Ad-Aware and Spybot. None of the three recognized it as a problem. He deleted it.
It's a very new worm (likely NOT Pentagone) -- the version we've seen was compiled on Saturday. I'm helping Lawrence and Steve with analysis on it -- hope I'm not stealing their thunder.  Hopefully, there will be a technical write-up soon, but the short story is it appears to be targeting and propagating on Win2K/XP shares on tcp/445.
If anyone finds this file, it's malware -- feel free to send it to me (my e-mail is in the signature below), but definitely kill it and delete it.
Philip Sloss
--
stuff@lupwa.org
[text was edited by author 2002-12-16 13:38:39] |
|
djaThe 'd' is silent ... unlike the member.Premium
join:2002-03-25
Niagara | reply to woodward
A member in this thread... complained of odd port 445 activity yesterday.
»xp antispy
We dismissed the argument as it was specific to
an XPantispy site and did not appear worm related.
However, this revelation may change that.
--
Bushwacked! |
|
| reply to psloss
Re: iraq_oil.exe ? Any other file name known?
--
Feivel |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Feivel1:
Any other file name known?
We've seen a couple of versions with random file names but when it copies itself it uses the iraq_oil name; the file size is 40,960 bytes and the MD5 hash is "345A5DF8919FEFD52053711535BF8C31"
At least that's for the version we've seen so far...
Philip Sloss
--
stuff@lupwa.org |
|
| reply to woodward
Can you send me this file pls to virus@gladiator-antivirus.com ?
Thx.
--
GAV - Gladiator AntiVirus - »www.gladiator-antivirus.com |
|
| reply to psloss
Philip,
go figure. I searched on 40960 byte files and I came up with 32. Good thing is 31 are expected and normal. 1 is questionable though but it appears to be a stray installer file from Diskeeper. Anyway, how do I check the MD5. the only MD5 checker I am familiar with is MD5 for Windows (c3fd10de60a769c2f43be3d2e49332db *md5summer.exe)
Do I use that?
--
Feivel |
|
| reply to psloss
said by psloss:
the short story is it appears to be targeting and propagating on Win2K/XP shares on tcp/445.
I was wondering what all those attempts on port 445 were. I've been seeing a lot of them, and they've increased a LOT according to myNetWatchman, but I'd seen no explanation yet.
Good luck! |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to Feivel1
said by Feivel1:
Anyway, how do I check the MD5. the only MD5 checker I am familiar with is MD5 for Windows (c3fd10de60a769c2f43be3d2e49332db *md5summer.exe)
Do I use that?
This utility I found via Symantec's Anti Virus center:
»www.fourmilab.ch/md5/
--
stuff@lupwa.org |
|
| reply to woodward
I don't know if it was a coincidence but the minute I discovered Iraq_oil.exe, it was the minute my Direcway satellite service stopped and the minute that my Norton Anti-Virus software would not reinstall. I had to reload the entire OS to get it back on line. Symantec delivered an update, only December 17, 02 and newer will clean it. I am not sure what the virus did but I learned a good lesson. |
|
| reply to woodward
This worm is detected by all major scanners now, including the free ones like AVG.  |
|
| it is the Win32.HLLW.Lioten.A go here to find out more go here »www.bullguard.com/virus/113.aspx
--
Its not the size of the dog in the fight, but the size of the fight in the dog.-My history teacher |
|
 Lurkers incDon't Call Me Doink
join:2001-10-13
Seattle, WA | This is an old thread awaken, but thought it worth mentioning some members made a write up about that file here. »www.mynetwatchman.com/kb/securit···aqiworm/
If you somehow get infected with it, that is a sign your computer or network security is a little lax and could use some improvement by following the prevention steps at the link above.
Paul, |
|
