W32.Harakit
W32.Harakit is a worm designed to propagate globally and reach as many computer users as possible to serve as an avenue for malware distribution. The worm may lower security configurations on the affected computer in order to conceal its operation once inside the system.
Alias: Win32/Yahlover.DH, Packed.Win32.Klone.bj, Trojan.Autoit, W32/Renocide-B, Generic.dx!sws
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When W32.Harakit enters the computer, it immediately connects to a command and control (C&C) server to accept commands and download additional malware. The same C&C server can perform other payload as the following:
- Update the worm to the latest variants by providing specific download address.
- Record computer information like hard drive serial number, user name, passwords, computer name, operating system version, system language and daily operation routine.
- It modifies Internet Explorer default home page settings.
- The worm will display advertisements or provide malicious links if Internet Explorer is used to browse the web.
- Scan ranges of IP address to look for vulnerable target.
Distribution
There are three possible ways to explore in spreading W32.Harakit. First, the worm targets peer-to-peer network connections. It creates a shared-file, commonly in-disguise of a popular program containing a copy of itself and freely distributed on a given network. The worm also spreads by infecting removable drives and unsecured network shares. Creating a malicious autorun.inf file on each targeted drive runs the worm automatically when the device is mounted.
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"csrcs" = “%System% \csrcs.exe” HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"ctfu" = “%System% \ctfu.exe” HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"ctfu" = “%System%\ctfu.exe” HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"ctfu" = “%System%\ctfu.exe” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = “explorer.exe, csrcs.exe” (ONLY ON XP) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = “explorer.exe, ctfu.exe” (ONLY ON XP) HKEY_LOCAL_MACHINE \Software\Microsoft\DRM\amtyAssociated Files and Folders:
%System%\csrcs.exe %System%\ctfu.exe %System%\autorun.in %SystemDrive%\khx
How to Remove W32.Harakit
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Harakit, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like W32.Harakit. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.
nashwa
Sep 19, 2009 @ 15:39:24
my mobile is infected with w32.Harakit
Roberto
Sep 30, 2009 @ 20:23:52
Jodete macho!!!!