Worm.Hai
Description Worm.Hai
This is a local network worm that spreads on Win32 systems. The worm itself is a Win32 executable file about 60K in length, and it is written in MS Visual C++. The known worm version is encrypted by PELock Win32 EXE file protection tool.
The spreading process distributes the worm copy throughout a local network to drives that are shared for reading/writing. The worm enumerates network resources (shared directories) and looks for WINDOWS in there. If such a subdirectory is found, the worm copies itself to there with a random EXE name (for exemple, RLITK.EXE, STNXOUL.EXE) and registers that copy in a WIN.INI file, [windows] section, "Run=" command (auto-run command). As a result, the worm is able to infect Win9x machines only (WinNT doesn't use WIN.INI files, rather it uses a registry instead).
While modifying the WIN.INI file, the worm uses a temporary WIN.HAI file; thus, the worm is named in such a way.
The worm also scans the local network and other IP addresses. While scanning, the worm simply obtains the next IP address, tries to open a connection to that machine, and then immediatly closes the connection, and does not use the result of the connection in any way.
The scanning algorithm appears as follows: the worm obtains the current machine's IP address as a "base address," then runs two processes: the first one scans all IP addesses by incrementing the base address, and the second one does this by decreasing the base address.
For example, if a current machine's IP is 192.3.2.1, the worm will scan:
first process second process
192.3.2.1 192.3.2.1
192.3.2.2 192.3.1.255
192.3.2.3 192.3.1.254
192.3.2.4 192.3.1.253
all ...
192.3.2.255 192.3.1.1
192.3.3.1 192.2.255.255
... ...
192.3.255.255 192.1.1.1
192.4.1.1 191.255.255.255
Check other viruses! Be aware! Use Antiviral Software
AccAvenger.873
Description AccAvenger.873
It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are accessed. The virus corrupts the GLDTA.DBF file, if it exists. The virus contains the text string:
*-* The Account Avenger *-*
Accept.3619
Description Accept.3619
This is a dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself at the end of COM and EXE files that are executed. If the file is already infected, the virus searches for other executable files and hits them. The virus contains the internal text string:
COMMANDSCANCLEANVSHIELDNAVCPAVBOOTSAFE
It checks the file name before infection. If the name is COMMAND, SCAN, CLEAN, NAV, CPAV and so on, the virus does not hit that file. On December, 20th and March, 28th the virus corrupts the disk sectors. The virus also contains the internal text strings:
*.COM *.EXE
747
ME PERDI A ACCEPT, SOY UN PELOTUDO
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Transport Och Logistik
Windy
Spine Surgery
Mk Massage & FriskvÅrd
Team HÅkan StÄdare Ab
|