Hai is a network worm that spreads in Win32 local networks. The worm is a PE EXE file 65536 bytes long and it is packed with PELOCK file compressor. The worm was not widespread by the time of creation of this description.
Disinfection instructions for Hai worm in a network environment:
1. Disable all network sharing or temporarily kill a network.
2. Scan infected systems with F-Secure Anti-Virus and the latest updates, identify and try to delete/rename the worm's file.
3. If FSAV is not able to remove the worm (locked file problem), its file has to be deleted from pure DOS (Win9x workstations) or renamed with non-executable extension with immediate system restart (for NT/2000 workstations). After restart the previously renamed worm's file should be deleted.
4. Remove the worm's autostarting line after 'RUN=' variable in WIN.INI file on infected workstations to get rid of annoying 'missing file' message generated by Windows on every startup.
5. Re-enable sharing or connect network only after all infected workstations are disinfected. If there's a single infected workstation, it can re-infect all others.
After being launched the worm creates a thread that starts to scan for valid IP addresses starting from the IP address of the infected computer. The worm scans a full range of IP addresses starting increments/decrements from lower IP address value.
When the worm finds a valid IP address (connection succeeds), it creates another thread that enumerates shared network resources/drives on a found remote computer. If there's a share with \Windows\ folder on a remote system the worm attempts to find and open WIN.INI file there. If WIN.INI is found, the worm creates WIN.HAI file and starts looking for 'RUN=' variable in WIN.INI file while copying its contents to WIN.HAI file.
If 'RUN=' variable is found, the worm puts a randomly generated file name after it (the worm will later copy itself with this name to a remote system). If 'RUN=' variable is not found, the worm creates it itself and then adds a randomly generated file name after it.
Finally the worm copies itself into \Windows\ folder to a remote system with a random name that it used to register itself in WIN.INI file (see above). Then the worm deletes WIN.INI file and renames WIN.HAI file as WIN.INI.
When a remote system is restarted the worm gets activated from 'RUN=' command. This however only happens on Win9x systems as on NT-based systems WIN.INI file is not used to start files on bootup. After infecting a remote system the infection thread terminates and IP scanning thread keeps scanning for valid IP addresses.
Description Created: Alexey Podrezov; F-Secure Corp.; August 28, 2001