Worm.Win32.Hai
| Alert Level : | Medium |
| Discovered: | Aug 14 2001 |
| Tag: | Internet Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This is a local network worm that spreads on Win32 systems. The worm itself is a Win32 executable file about 60K in length, and it is written in MS Visual C . The known worm version is encrypted by PELock Win32 EXE file protection tool.
The spreading process distributes the worm copy throughout a local network to drives that are shared for reading/writing. The worm enumerates network resources (shared directories) and looks for \WINDOWS in there. If such a subdirectory is found, the worm copies itself to there with a random EXE name (for exemple, RLITK.EXE, STNXOUL.EXE) and registers that copy in a WIN.INI file, [windows] section, "Run=" command (auto-run command). As a result, the worm is able to infect Win9x machines only (WinNT doesn't use WIN.INI files, rather it uses a registry instead).
While modifying the WIN.INI file, the worm uses a temporary WIN.HAI file; thus, the worm is named in such a way.
The worm also scans the local network and other IP addresses. While scanning, the worm simply obtains the next IP address, tries to open a connection to that machine, and then immediatly closes the connection, and does not use the result of the connection in any way.
The scanning algorithm appears as follows: the worm obtains the current machine's IP address as a "base address," then runs two processes: the first one scans all IP addesses by incrementing the base address, and the second one does this by decreasing the base address.
For example, if a current machine's IP is 192.3.2.1, the worm will scan:
first process second process 192.3.2.1 192.3.2.1 192.3.2.2 192.3.1.255 192.3.2.3 192.3.1.254 192.3.2.4 192.3.1.253 ... ... 192.3.2.255 192.3.1.1 192.3.3.1 192.2.255.255 ... ... 192.3.255.255 192.1.1.1 192.4.1.1 191.255.255.255
0
Removal Worm.Win32.Hai instructions:
0
Need help? Live computer support via remote at SupportSpace |
