W32.Harakit

Printer Friendly Page

Discovered: October 20, 2008
Updated: August 03, 2012 3:43:47 PM
Also Known As: Win32/Yahlover.DH [Computer Associates], W32/Renocide-B [Sophos], Generic.dx!sws [McAfee]
Type: Trojan, Worm
Infection Length: 454,134 bytes
Systems Affected: Windows

W32.Harakit is a worm with the primary purpose to spread as far and wide as it can and then deliver other malware onto the compromised computers. It also attempts to lower security settings on the compromised computer in order to avoid detection.

Infection
The worm spreads through peer-to-peer (P2P) networks, removable drives, and local network shares. The worm copies lists of common applications names and repackages itself using modifications of these names. The repackaged files are copied to any P2P shared folders on the compromised computer. Aggressive scans of various IP ranges are used to find open shares, to which the threat copies itself. AutoRun functionality is abused by creating autorun.inf files, along with the worm, on any writable removable drive inserted into the compromised computer.


Functionality
The worm is designed to spread as efficiently as possible to provide a platform for malware distribution. Additional malware is downloaded and installed. This installation can be country, IP date, or even computer name specific. Additional functionality includes the ability to update itself, remove itself completely from the compromised computer, and interact with Internet Explorer.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.



SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures
W32.Harakit


Antivirus (heuristic/generic)



Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version October 20, 2008 revision 009
  • Latest Rapid Release version March 20, 2019 revision 009
  • Initial Daily Certified version October 20, 2008 revision 024
  • Latest Daily Certified version March 20, 2019 revision 001
  • Initial Weekly Certified release date October 22, 2008

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Gavin OGorman and Jarrad Shearer

Discovered: October 20, 2008
Updated: August 03, 2012 3:43:47 PM
Also Known As: Win32/Yahlover.DH [Computer Associates], W32/Renocide-B [Sophos], Generic.dx!sws [McAfee]
Type: Trojan, Worm
Infection Length: 454,134 bytes
Systems Affected: Windows

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

1.3 Address blocking

1.4 Network shares
1.5 Peer-to-peer applications
2. Infection method
2.1 Peer-to-peer (P2P)
2.2 Removable drives
2.3 Network Shares
3. Functionality
3.1. System modifications
3.2. Network activity



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Do not use peer-to-peer networks to download files masquerading as key generation tools or cracks for various popular applications. W32.Harakit repackages itself in .rar or .zip files with the title of these popular applications. This repackaged file is then copied into peer-to-peer shared folders.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.


1.3 Address blocking
Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:

  • 5eb149c0.com
  • 76b8ee50.com
  • aferioutyus.com
  • akakapatama.com
  • cremitysxyu.com
  • dip.jp
  • eyetremputi.com
  • extasix.com
  • flufi403ss.com
  • ghutiesu.com
  • igoirusf.com
  • iozcluster.com
  • jpn.ph
  • moe.hm
  • myhome.cx
  • nom6nom6.com
  • orz.hm
  • pyhkiouty.com
  • toratoraamusi.com
  • trompizgerbo.com
  • truxiumnow.com


1.4 Network shares
This threat is also known to spread inside large network by using shares. The following steps can help protect your computer against this threat.
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack. This blog provides some ideas on how to construct a strong yet memorable password.
  • Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.


1.5 Peer-to-peer applications
Disable or do not use the following peer-to-peer applications:
  • Ares
  • Frostwire
  • eMule
  • Kazaa
  • Limewire
  • Shareaza
  • DC++



2. INFECTION METHOD
W32.Harakit uses three techniques to spread. These are:
  • Peer-to-peer networks
  • Removable drives
  • Network shares


2.1 Peer-to-peer (P2P)
Peer-to-peer networks allow W32.Harakit to spread quickly beyond the confines of the local network. The worm utilizes common application names when creating archives containing copies of itself.


Obtaining a list of names
These application names can be obtained in three ways.

Downloading lists of popular torrents from the following URLs. The application names are extracted from the torrent list.
  • thepiratebay.org/top/401
  • thepiratebay.org/top/300
  • isohunt.com/torrents/?iht=5&ihs1=2&age=0
  • isohunt.com/torrents/?iht=4&ihs1=2&age=0
Receiving a URL from a command and control server. This URL contains a file listing additional names to use. If the above two techniques fail, the worm has an inbuilt list of names which can be used. These names are:
  • Adobe Photoshop CS4 Extended
  • Nero 9 Reloaded 9.4.26.0
  • Microsoft Office Enterprise 2007
  • Microsoft Windows 7 Ultimate Retail(Final) x86 and x64
  • WinRAR v3.90 Final
  • WinRAR v4.0 Final
  • WinRAR v5.0 Final
  • LimeWire PRO v5.4.6.1 Final
  • WinZip PRO v14.1
  • WinZip PRO v15.1
  • WinZip PRO v16.1
  • Metro 2033 Proper
  • Battlefield Bad Company 2
  • Just Cause 2
  • Assassins Creed 2
  • Mass_Effect_2
  • The Sims 3 Final
  • BioShock_2
  • TuneUp.Utilities.2010.v9.0.3100.22-TE
  • Sony Vegas Pro 9.0c Build 896 [32.64 bit]
  • Command & Conquer 4 Tiberian Twilight Retail
  • Counter-Strike 1.6 v.38
  • Batman.Arkham.Asylum
  • Pro.Evolution.Soccer.2010
  • Call of Duty 4 Modern Warfare
  • Call of duty 5 World At War
  • Fallout.3.Game.of.the.Year.Edition
  • Diablo 2 + Diablo 2: Lord Of Destruction
  • Grand Theft Auto Vice City
  • Warhammer 40000 Dawn Of War II Chaos Rising
  • Adobe Flash CS4 Professional
  • Pinnacle Studio 14 HD Ultimate
  • Autodesk AutoCAD 2010
  • Partition Magic 8
  • ConvertXtoDVD v4.x
  • Mathworks.Matlab.R2010a
  • Alcohol 120 v2.x
  • Adobe Illustrator CS4
  • DAEMON Tools Pro Advanced 4.x
  • Rosetta.Stone.V.3.3.5.Plus
  • Aliens Vs Predator Proper
  • Dragon Age Origins
  • Need.For.Speed.Shift


Modifying names
When the list of names has been obtained, W32.Harakit then modifies them in an attempt to make them more appealing to potential downloaders. If the name was used without modification, the downloader may notice a discrepancy between the expected application size and the actual size of W32.Harakit. As such, the name is modified to make it appear to be a crack or key generation tool. These tend to be of small size, thus avoiding suspicions.

For each name, one of the following strings is chosen at random and appended to the name:
  • Crack
  • Activator
  • Keygen
  • Validator
  • Razor1911
  • RELOADED
  • KeyMaker

For example, a potential output could be “Dragon Age Origins.Validator”


Creating the archive
When a modified name has been created, W32.Harakit creates either a .zip or .rar file with this modified name. The choice of rar or zip depends on what archiving application is installed on the local computer. If WinRar is installed, this is used to create a .rar file. If not, the worm checks for 7Zip. This is used to create .zip files. If neither is found, the threat downloads a copy of 7zip and then uses this to create the .zip file.

Using the example above, the archive would be called “Dragon Age Origins.Validator.rar” and would contain the files “Dragon Age Origins.Validator.txt” and “Dragon Age Origins.Validator.exe”. The text file simply contains the modified name and the executable file is W32.Harakit.


Targeted peer-to-peer networks
The created archive is then copied into the shared folder of any of a list of P2P applications that are installed on the infected computer. These applications are:
  • Ares
  • Frostwire
  • eMule
  • Kazaa
  • Limewire
  • Shareaza
  • DC++

The newly created malicious archive is then automatically shared on the peer-to-peer network.


2.2 Removable drives
The second method of spreading is through removable drives. W32.Harakit periodically iterates through any removable drives that are present on the local computer. When a removable drive is found, a pre-prepared autorun.inf is copied to the removable drive. This autorun.inf is stored as %System%\autorun.in

The autorun.inf is created with random content in an attempt to prevent anti-virus detection.



W32.Harakit then copies itself as a random name on the root volume of the removable drive.

If an infected removable drive is inserted into a computer which has the AutoRun feature enabled, the threat is automatically executed. If the computer is not already infected, W32.Harakit copies itself to the %System% folder. If the computer is already infected with W32.Harakit, the version on the removable drive is compared to that in the %System% folder. If the version on the removable drive is newer, the older copy is replaced.


2.3 Network Shares
The final technique used to spread Harakit is through network shares. W32.Harakit obtains the local IP address and then also attempts to determine the WAN, or external, IP address. This is obtained using an IP lookup service.


WAN IP lookup
As a computer on an internal network will often use a private IP range, W32.Harakit must use an IP lookup service to obtain the external IP. There are two built-in URLs used to obtain this IP address:
  • http://www.whatismyip.com/automation/n09230945.asp
  • http://checkip.dyndns.org/?rnd1=%RAND%&rnd2=%RAND%

If these fail, the threat can also obtain the URL for an alternative IP lookup service from the command and control service.


IP Iteration
With the local IP and possibly the WAN IP obtained, W32.Harakit starts to scan the local and WAN IP ranges in an attempt to find open shares. Initially the local IP range is iterated through. For example, if the local IP is 192.168.1.2, then each IP from 192.168.1.1 up to 192.168.1.255 is tested. The IP is pinged first to determine if the host is alive. The following command is attempted:
Net view IP




If this command succeeds, W32.Harakit copies itself to this directory, along with an autorun.inf file in a similar manner as it does when using removable drives to spread.

The same process is carried out on the WAN IP, if it has been obtained. In addition, the command and control server can instruct W32.Harakit to perform this process on a given range of IPs.



3. FUNCTIONALITY
W32.Harakit is designed to spread so in order to infect as many computers as possible. When a computer is infected, the worm then connects to a command and control server to receive commands. The C&C server issues a list of URLs with specific configuration values. These configuration values can consist of a country code, IP range, or date range. If the infected computer is located within that particular country, IP range, or the local time is within the date range, the URL is downloaded and executed.

As such, W32.Harakit is essentially a malware delivery platform. The reason it spreads is to install other malware applications. Presumably the owner of the network is paid to distribute this additional malware. In addition, the command and control server can issue commands to:
  • Update the worm version. A URL of the latest variant is provided.
  • Remove itself based on given IP range, country code, or user name and computer name
  • Upload information about the compromised computer. This information can consist of:
    • Primary drive serial number
    • User name
    • Computer name
    • Operating system version
    • Operating system service pack
    • Primary drive name
    • Operating system language
    • System directory name
    • System uptime
  • Insert advertisements or links into Internet Explorer. Also set the start page for IE to a given URL.
  • Download and execute URLs only if certain registry values are present
  • Scan a given IP range to find open shares to spread


3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.


Files created
  • %System%\csrcs.exe
  • %System%\ctfu.exe
  • %System%\autorun.in
  • %SystemDrive%\khx

Files deleted

None

Files modified
None


Registry subkeys/entries created
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"csrcs" = “%System% \csrcs.exe”
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"ctfu" = “%System% \ctfu.exe”
  • HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"ctfu" = “%System%\ctfu.exe”
  • HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"ctfu" = “%System%\ctfu.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = “explorer.exe, csrcs.exe” (ONLY ON XP)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = “explorer.exe, ctfu.exe” (ONLY ON XP)
  • HKEY_LOCAL_MACHINE \Software\Microsoft\DRM\amty

Note: W32.Harakit uses the Amty subkey in the registry to store configuration information and log activity.


Registry subkeys/entries deleted
None


Registry subkeys/entries modified (final values given)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = “2”
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"SuperHidden" = “0”
  • HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = “0”
  • HKEY_LOCAL_MACHINE \Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = “1”


Processes
  • Csrcs.exe
  • Ctfu.exe
  • The Teatimer.exe process is ended if it is running.


3.2 Network activity
The threat may perform the following network activities.


Downloading
W32.Harakit may connect to any of the domains as listed in Section 1.2 in order to receive command messages. The same domains may be contacted to download further updates and additional malware.


Uploading
Stolen information about the local computer is uploaded to domains listed in Section 1.2. In addition, every time W32.Harakit succeeds in spreading itself through peer-to-peer applications, removable drives, or network shares, it uploads logging information about the infection to these same domains.

The logged information may be uploaded to URLs with the following pages:
  • a_log.php
  • f_log.php
  • e_log.php
  • k_log.php
  • l_log.php
  • s_log.php
  • d_log.php


Other network activity
Attempts to spread through open network shares are documented in Section 2.3.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Gavin OGorman and Jarrad Shearer

Discovered: October 20, 2008
Updated: August 03, 2012 3:43:47 PM
Also Known As: Win32/Yahlover.DH [Computer Associates], W32/Renocide-B [Sophos], Generic.dx!sws [McAfee]
Type: Trojan, Worm
Infection Length: 454,134 bytes
Systems Affected: Windows

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Gavin OGorman and Jarrad Shearer