W32.Harakit is a worm designed to propagate globally and reach as many computer users as possible to serve as an avenue for malware distribution. The worm may lower security configurations on the affected computer in order to conceal its operation once inside the system.
Alias: Win32/Yahlover.DH, Packed.Win32.Klone.bj, Trojan.Autoit, W32/Renocide-B, Generic.dx!sws
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
When W32.Harakit enters the computer, it immediately connects to a command and control (C&C) server to accept commands and download additional malware. The same C&C server can perform other payload as the following:
- Update the worm to the latest variants by providing specific download address.
- Record computer information like hard drive serial number, user name, passwords, computer name, operating system version, system language and daily operation routine.
- It modifies Internet Explorer default home page settings.
- The worm will display advertisements or provide malicious links if Internet Explorer is used to browse the web.
- Scan ranges of IP address to look for vulnerable target.
There are three possible ways to explore in spreading W32.Harakit. First, the worm targets peer-to-peer network connections. It creates a shared-file, commonly in-disguise of a popular program containing a copy of itself and freely distributed on a given network. The worm also spreads by infecting removable drives and unsecured network shares. Creating a malicious autorun.inf file on each targeted drive runs the worm automatically when the device is mounted.