Home / malwarePDF  

Win32.HLLW.Lioten.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.HLLW.Lioten.A is also known as N/A.

Explanation :

The worm will run only on NT platforms: Windows NT 4, Windows 2000 or Windows XP, because it uses functions of the "netapi32.dll" library.
The worm tries to access random IP addresses on port 445, that is, it tries to connect to remote computers by TCP on the network or on the Internet, and if succedes, it tries to copy itself to:
\\\c$winntsystem32iraq_oil.exe or
\\\Admin$system32iraq_oil.exe
It tries the following passwords in its connection attempts:
"" (no password)
"admin"
"root"
"111"
"123"
"1234"
"123456"
"654321"
"1"
"!@#$"
"asdf"
"asdfgh"
"!@#$%"
"!@#$%^"
"!@#$%^&"
"!@#$%^&*"
"server"
After successfully copied to the destination, the worm tries to create a task schedule on the remote computer that would execute the worm executable after a few hours or even the next day, depending on the time zone of the victim's computer.

Last update 21 November 2011

 

TOP