Worm.Win32.Hai

Class Worm
Platform Win32
Description

Technical Details

This is a local network worm that spreads on Win32 systems. The worm itself is a Win32 executable file about 60K in length, and it is written in MS Visual C++. The known worm version is encrypted by PELock Win32 EXE file protection tool.

The spreading process distributes the worm copy throughout a local network to drives that are shared for reading/writing. The worm enumerates network resources (shared directories) and looks for WINDOWS in there. If such a subdirectory is found, the worm copies itself to there with a random EXE name (for exemple, RLITK.EXE, STNXOUL.EXE) and registers that copy in a WIN.INI file, [windows] section, “Run=” command (auto-run command). As a result, the worm is able to infect Win9x machines only (WinNT doesn’t use WIN.INI files, rather it uses a registry instead).

While modifying the WIN.INI file, the worm uses a temporary WIN.HAI file; thus, the worm is named in such a way.

The worm also scans the local network and other IP addresses. While scanning, the worm simply obtains the next IP address, tries to open a connection to that machine, and then immediatly closes the connection, and does not use the result of the connection in any way.

The scanning algorithm appears as follows: the worm obtains the current machine’s IP address as a “base address,” then runs two processes: the first one scans all IP addesses by incrementing the base address, and the second one does this by decreasing the base address.

For example, if a current machine’s IP is 192.3.2.1, the worm will scan:

 first process   second process

 192.3.2.1       192.3.2.1
 192.3.2.2       192.3.1.255
 192.3.2.3       192.3.1.254
 192.3.2.4       192.3.1.253
 ...             ...
 192.3.2.255     192.3.1.1
 192.3.3.1       192.2.255.255
 ...             ...
 192.3.255.255   192.1.1.1
 192.4.1.1       191.255.255.255