Hai is a network worm that spreads in Win32 local networks. The
worm is a PE EXE file 65536 bytes long and it is packed with
PELOCK file compressor. The worm was not widespread by the time
of creation of this description.
After being launched the worm creates a thread that starts to
scan for valid IP addresses starting from the IP address of the
infected computer. The worm scans a full range of IP addresses
starting increments/decrements from lower IP address value.
When the worm finds a valid IP address (connection succeeds), it
creates another thread that enumerates shared network
resources/drives on a found remote computer. If there's a share
with \Windows\ folder on a remote system the worm attempts to
find and open WIN.INI file there. If WIN.INI is found, the worm
creates WIN.HAI file and starts looking for 'RUN=' variable in
WIN.INI file while copying its contents to WIN.HAI file.
If 'RUN=' variable is found, the worm puts a randomly generated
file name after it (the worm will later copy itself with this
name to a remote system). If 'RUN=' variable is not found, the
worm creates it itself and then adds a randomly generated file
name after it.
Finally the worm copies itself into \Windows\ folder to a remote
system with a random name that it used to register itself in
WIN.INI file (see above). Then the worm deletes WIN.INI file and
renames WIN.HAI file as WIN.INI.
When a remote system is restarted the worm gets activated from
'RUN=' command. This however only happens on Win9x systems as on
NT-based systems WIN.INI file is not used to start files on
bootup. After infecting a remote system the infection thread
terminates and IP scanning thread keeps scanning for valid IP
Disinfection instructions for Hai worm in a network environment:
1. Disable all network sharing or temporarily kill a network.
2. Scan infected systems with F-Secure Anti-Virus and the latest
updates, identify and try to delete/rename the worm's file.
3. If FSAV is not able to remove the worm (locked file problem),
its file has to be deleted from pure DOS (Win9x workstations) or
renamed with non-executable extension with immediate system
restart (for NT/2000 workstations). After restart the previously
renamed worm's file should be deleted.
4. Remove the worm's autostarting line after 'RUN=' variable in
WIN.INI file on infected workstations to get rid of annoying
'missing file' message generated by Windows on every startup.
5. Re-enable sharing or connect network only after all infected
workstations are disinfected. If there's a single infected
workstation, it can re-infect all others.
[Analysis: Alexey Podrezov; F-Secure Corp.; August 28, 2001]