1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP W32 Harakit Activity

HTTP W32 Harakit Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Harakit HTTP activity.

Additional Information

W32.Harakit is a worm that spreads by copying itself to network shares and removable drives. It may also spread through instant messaging applications.

Once executed, the worm may create the following files:

* %SystemDrive%\khq
* %SystemDrive%\khr
* %System%\cftm.exe
* %System%\cftmen.exe



It will copy itself to the following location and then deletes itself:
%System%\csrcs.exe

The worm also creates the following file on all removable drives so that it executes whenever the drive is accessed:
%System%\autorun.inf

The worm creates the following registry entries, so that it runs every time Windows starts:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"csrcs" = "C:\WINDOWS\system32\csrcs.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"cftm" = "C:\WINDOWS\system32\cftm.exe"



The worm creates the following registry entry so that it hides itself and runs when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

It also modifies the following existing registry value, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe csrcs.exe"

It may also create and populate the following registry keys

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRM
* HKEY_LOCAL_MACHINE\SOFTWARE\ESET\Nod



The worm may delete the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveAutoRun" = "FF FF FF 03"



It may also delete registry entries present in the following registry subkeys to lower security settings:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system



The worm spreads through network shares, removable devices or instant messaging applications.

It has back door capabilities and may connect to a predetermined IRC channel allowing unauthorized access to perform the following actions:

* Gathering confidential information
* Act as a bot through IRC servers
* Download extensions and updates of itself



It may attempt to contact any of the following URLs:

* akitaka.oct382x.com/lexum/genst.htm
* checkip.dyndns.org/?rndl
* diesam.moe.hm/ii/133.php
* geoloc.daiguo.com
* lemox.myhome.cx
* oct382x.com/4.exe
* oct382x.com/4.php
* oct382x.com/lexum/genste.htm
* sousi/extasix.com/genst.htm
* tonkor.or.tp/llkah.htm
* tonkor.or.tp/worlog1.php
* tonkor.or.tp/worlog2.php
* tonkor.or.tp/worlog3.php
* tonkor.or.tp/worlog4.php
* tonkor.or.tp/worlog5.php
* tonkor.or.tp/worlog6.php
* www.whatismyip.com/?rndl
* www.whatismyip.com/automation/n09230945.asp
* zkarmy.dip.jp/oolksh.htm

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube