This is a local network worm that spreads on Win32 systems. The worm itself is a Win32 executable file about 60K in length, and it is written in MS Visual C++. The known worm version is encrypted by PELock Win32 EXE file protection tool.
The spreading process distributes the worm copy throughout a local network to drives that are shared for reading/writing. The worm enumerates network resources (shared directories) and looks for WINDOWS in there. If such a subdirectory is found, the worm copies itself to there with a random EXE name (for exemple, RLITK.EXE, STNXOUL.EXE) and registers that copy in a WIN.INI file, [windows] section, “Run=” command (auto-run command). As a result, the worm is able to infect Win9x machines only (WinNT doesn’t use WIN.INI files, rather it uses a registry instead).
While modifying the WIN.INI file, the worm uses a temporary WIN.HAI file; thus, the worm is named in such a way.
The worm also scans the local network and other IP addresses. While scanning, the worm simply obtains the next IP address, tries to open a connection to that machine, and then immediatly closes the connection, and does not use the result of the connection in any way.
The scanning algorithm appears as follows: the worm obtains the current machine’s IP address as a “base address,” then runs two processes: the first one scans all IP addesses by incrementing the base address, and the second one does this by decreasing the base address.
For example, if a current machine’s IP is 18.104.22.168, the worm will scan:
first process second process 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 ... ... 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 ... ... 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206