Classification

Category :

Malware

Type :

Worm

Aliases :

Hai, Worm.Hai

Summary

Hai is a network worm that spreads in Win32 local networks. The worm is a PE EXE file 65536 bytes long and it is packed with PELOCK file compressor. The worm was not widespread by the time of creation of this description.

Removal

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

After being launched the worm creates a thread that starts to scan for valid IP addresses starting from the IP address of the infected computer. The worm scans a full range of IP addresses starting increments/decrements from lower IP address value.

When the worm finds a valid IP address (connection succeeds), it creates another thread that enumerates shared network resources/drives on a found remote computer. If there's a share with \Windows\ folder on a remote system the worm attempts to find and open WIN.INI file there. If WIN.INI is found, the worm creates WIN.HAI file and starts looking for 'RUN=' variable in WIN.INI file while copying its contents to WIN.HAI file.

If 'RUN=' variable is found, the worm puts a randomly generated file name after it (the worm will later copy itself with this name to a remote system). If 'RUN=' variable is not found, the worm creates it itself and then adds a randomly generated file name after it.

Finally the worm copies itself into \Windows\ folder to a remote system with a random name that it used to register itself in WIN.INI file (see above). Then the worm deletes WIN.INI file and renames WIN.HAI file as WIN.INI.

When a remote system is restarted the worm gets activated from 'RUN=' command. This however only happens on Win9x systems as on NT-based systems WIN.INI file is not used to start files on bootup. After infecting a remote system the infection thread terminates and IP scanning thread keeps scanning for valid IP addresses.