The Haiku worm usually arrives as a HAIKU.EXE file attached to an e-mail message. The message looks like it was forwarded from the original recepient with the subject 'Fw: Compose your own haikus'.
Disinfection & Removal
The message body advertises the attached file as a Haiku (oriental poetry style) generator which it actually is. But along with Haiku generation routine the file contains worm code. The message the worm spreads itself with looks like that:
:)) ----- Original Message ----- >"Old pond... > a frog leaps in > water's sound." >- Matsuo Basho. > >DO YOU WANT TO COMPOSE YOUR OWN HAIKUS? > >Haiku is a small poetry with oriental metric that appeared in the >XVI century and is being very popular, mainly in Japan and the USA. > >It's done to trascend the limitation imposed by the usual language >and the linear/scientific thinking that treat the nature and the >human being as a machine. > >It usually has 3 lines and 17 syllables distributed in 5, 7 and 5. >It must register or indicate a moment, sensation, impression or >drama of a specific fact of nature. It's almost like a photo of >some specific moment of nature. > >More than inspiration, what you need in order to compose a real >haiku is meditation, effort and perception. > >DO YOU WANT TO COMPOSE YOUR OWN HAIKUS? > >Now you can! it is very easy to get started in this old poetry >art. Attached to this e-mail you will find a copy of a simple >haiku generator. It will help you in order to understand the >basics of the metric, rhyme and subjects which should be used >when composing a real haiku... just check it out! it's freeware >and you can use and spread it as long as you want!
When the worm is run it first installs itself as HAIKUG.EXE into root Windows directory and modifies WIN.INI to be run during all further Windows sessions. After that the worm displays a messagebox with a randomly generated Haiku:
After system restart the worm gets control, checks if Internet connection is available and starts to look for e-mail addresses by scanning DOC, EML, HTM, HTML, RTF and TXT files. After the suitable e-mail address is found, the worm decrypts its internal message text, connects to a remote SMTP server that allows sending anonymous e-mail and sends its body MIME-encoded with the decrypted message to a found e-mail address. Then the worm displays its copyright messagebox:
From time to time the worm connects to a free web hosting provider Xoom and gets a WAV file from one of user accounts. The worm writes the downloaded file as C:\HAIKU.WAV, plays it and deletes it afterwards. The WAV file has a copyright string of Sandman:
The generator of Haiku poetry uses the internal table of words and endings and creates poetry strictly according to Haiku style rules. Here are the table's contents:
bridge light sea fish butterfly foghorn day moon evening spring sunset boat petal blossom stone mist passage darkness dolphin ant shadow star frost cicada wind garden orchard chestnut forest leaf sun winter autumn summer morning tree branch smoke grape rainbow blackness shade edge snowflake raindrop starling stem charcoal silence flurry trunk gnat pear strawberry breeze grass silence worm solstice rain cauliflower dawn fire splinter cedar skyline mushroom foam roar child reflected calm distant small shiftin g long overlooking delicate tiny colorful silent noisy faint bruised plucked ripening swollen dark new old brittle steaming decaying single wet bare bright cold heavy purplish fleeting smooth pale imprisoned lightning frozen cupped dewy shriveled fiery hunkered stirring chattering misshapen taut matted visible wild surprising sudden trembling twisting perfect flashing frosted solemn rising lost loved this that these those of to with from in on sl owly calmly soon suddenly eagerly afterward slightly toward no w the a and or share shared s stop stopped s recall recalled s drive drove s chase chased s contain contained s return returned s rise rose s ripple rippled s move moved s fall fell s hang hung s miss missed es catch caught es start started s tousle tousled s pass passed es pluck plucked s blind blinded s crush crushed es awake awoke s rattle rattled s pierce pierced s
Technical Details: Alexey Podrezov, F-Secure