New 'oil' worm 'unlikely to succeed': Sophos

Anti-virus vendor Sophos has moved to arrest panic over the appearance of a new computer worm, saying its method of propagation makes it highly unlikely to succeed.

The new worm tagged in anti-virus vendor reports as W32/LIOTEN.A (Net-Oil spelt backwards) attempts to crack into weakly configured Windows 2000 and XP machines. However, according to Sophos, even if the worm is successful it is highly unlikely that it will be able to do anything once it has breached the target machine.

The worm attempts break into machines by generating fake IP addresses and scanning them for a listening TCP port 445. If a machine associated with one of the IPs exists and has a weak security configuration, the worm may be able to attain a list of valid usernames from it. The worm would then attempts to log on to the machine using a series of common passwords.

If the worm logs on successfully, it attempts to detonate on the target machine to perpetuate its travel to new targets.

"It makes a copy of itself but its very unlikely that it would spread from the machine it has copied itself onto," said Paul Ducklin, spokesman for Sophos.

Sophos said the worm is poorly designed and that the method it uses to log in leaves it unlikely to have the authority or "machine privileges" it requires to execute itself on the target and continue propagating.

"It's interesting to note that we haven't had any reports from people actually infected by it and nor it appears have any of the other major anti-virus vendors," said Ducklin.

Ducklin said it was also interesting to note that while graphs representing W32/LIOTEN.A's port scanning activity showed a sharp drop shortly after attackers launched it, that of older worms maintained their strength.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.