Worm.Win32.Hai

Class Worm
Platform Win32
Description

Technical Details

This is a local network worm that spreads on Win32 systems. The worm itself is a Win32 executable file about 60K in length, and it is written in MS Visual C++. The known worm version is encrypted by PELock Win32 EXE file protection tool.

The spreading process distributes the worm copy throughout a local network to drives that are shared for reading/writing. The worm enumerates network resources (shared directories) and looks for WINDOWS in there. If such a subdirectory is found, the worm copies itself to there with a random EXE name (for exemple, RLITK.EXE, STNXOUL.EXE) and registers that copy in a WIN.INI file, [windows] section, “Run=” command (auto-run command). As a result, the worm is able to infect Win9x machines only (WinNT doesn’t use WIN.INI files, rather it uses a registry instead).

While modifying the WIN.INI file, the worm uses a temporary WIN.HAI file; thus, the worm is named in such a way.

The worm also scans the local network and other IP addresses. While scanning, the worm simply obtains the next IP address, tries to open a connection to that machine, and then immediatly closes the connection, and does not use the result of the connection in any way.

The scanning algorithm appears as follows: the worm obtains the current machine’s IP address as a “base address,” then runs two processes: the first one scans all IP addesses by incrementing the base address, and the second one does this by decreasing the base address.

For example, if a current machine’s IP is 192.3.2.1, the worm will scan:

 first process   second process

 192.3.2.1       192.3.2.1
 192.3.2.2       192.3.1.255
 192.3.2.3       192.3.1.254
 192.3.2.4       192.3.1.253
 ...             ...
 192.3.2.255     192.3.1.1
 192.3.3.1       192.2.255.255
 ...             ...
 192.3.255.255   192.1.1.1
 192.4.1.1       191.255.255.255
Find out the statistics of the threats spreading in your region