1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: HTTP W32 Harakit CandC Activity

System Infected: HTTP W32 Harakit CandC Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects W32.Harakit HTTP activity.

Additional Information

W32.Harakit is a worm that spreads by copying itself to network shares and removable drives. It may also spread through instant messaging applications.

Once executed, the worm may create the following files:

* %SystemDrive%\khq
* %SystemDrive%\khr
* %System%\cftm.exe
* %System%\cftmen.exe

It will copy itself to the following location and then deletes itself:

The worm also creates the following file on all removable drives so that it executes whenever the drive is accessed:

The worm creates the following registry entries, so that it runs every time Windows starts:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"csrcs" = "C:\WINDOWS\system32\csrcs.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"cftm" = "C:\WINDOWS\system32\cftm.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"cftm" = "C:\WINDOWS\system32\cftm.exe"

The worm creates the following registry entry so that it hides itself and runs when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

It also modifies the following existing registry value, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe csrcs.exe"

It may also create and populate the following registry keys


The worm may delete the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveTypeAutoRun" = "B5"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDriveAutoRun" = "FF FF FF 03"

It may also delete registry entries present in the following registry subkeys to lower security settings:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

The worm spreads through network shares, removable devices or instant messaging applications.

It has back door capabilities and may connect to a predetermined IRC channel allowing unauthorized access to perform the following actions:

* Gathering confidential information
* Act as a bot through IRC servers
* Download extensions and updates of itself

It may attempt to contact any of the following URLs:

* akitaka.oct382x.com/lexum/genst.htm
* checkip.dyndns.org/?rndl
* diesam.moe.hm/ii/133.php
* geoloc.daiguo.com
* lemox.myhome.cx
* oct382x.com/4.exe
* oct382x.com/4.php
* oct382x.com/lexum/genste.htm
* sousi/extasix.com/genst.htm
* tonkor.or.tp/llkah.htm
* tonkor.or.tp/worlog1.php
* tonkor.or.tp/worlog2.php
* tonkor.or.tp/worlog3.php
* tonkor.or.tp/worlog4.php
* tonkor.or.tp/worlog5.php
* tonkor.or.tp/worlog6.php
* www.whatismyip.com/?rndl
* www.whatismyip.com/automation/n09230945.asp
* zkarmy.dip.jp/oolksh.htm


  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube