The worm, called W32/Lioten, also goes by the name Iraq_oil, Datrix, W32.Lioten, and I-Worm.Lioten, according to an advisory posted by security company F-Secure Corp.
Unlike other worms that spread through mass e-mailing, Lioten scans the Internet for vulnerable Windows machines that are sharing folders with other users on a home or business network.
The worm finds hosts to infect by randomly generating and attempting to connect to IP (Internet Protocol) addresses on the Internet. The worm listens for responses on port 445 from machines using Windows Server Message Block (SMB), a file and resource sharing protocol used in Windows environments.
Once the new worm receives a response from a server, it attempts to crack that machine using a so-called "brute force" attack. The worm first obtains a list of user accounts on the machine and then attempts to log in to each of those accounts by supplying values from its own list of likely passwords such as "admin", "root", "1234" and "asdf".
If the worm is successful in logging on to a machine using any of the user accounts, it places a copy of itself, iraq_oil.exe, in the System32 directory on that machine and creates a process on the machine to run the new executable.
It is not known what else the worm does besides propagate itself, F-Secure said.
Machines that are located behind a firewall are likely to be protected from the worm. Even basic firewall configurations will block access to port 445, according to F-Secure.
Leading anti-virus software makers including Symantec, Network Associates and Sophos gave Lioten a "low" threat rating, indicating that the worm has not spread widely on the Internet and few, if any, infections linked to the Lioten worm have been reported.
Despite this, anti-virus companies have posted updated virus definitions that are capable of detecting the Lioten worm and have recommended that customers running the affected operating systems download the latest virus definitions for their anti-virus software.