Summary
Hai is a network worm that spreads in Win32 local networks. The worm is a PE EXE file 65536 bytes long and it is packed with PELOCK file compressor. The worm was not widespread by the time of creation of this description.
Removal
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
-
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
-
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
-
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
After being launched the worm creates a thread that starts to scan for valid IP addresses starting from the IP address of the infected computer. The worm scans a full range of IP addresses starting increments/decrements from lower IP address value.
When the worm finds a valid IP address (connection succeeds), it creates another thread that enumerates shared network resources/drives on a found remote computer. If there's a share with \Windows\ folder on a remote system the worm attempts to find and open WIN.INI file there. If WIN.INI is found, the worm creates WIN.HAI file and starts looking for 'RUN=' variable in WIN.INI file while copying its contents to WIN.HAI file.
If 'RUN=' variable is found, the worm puts a randomly generated file name after it (the worm will later copy itself with this name to a remote system). If 'RUN=' variable is not found, the worm creates it itself and then adds a randomly generated file name after it.
Finally the worm copies itself into \Windows\ folder to a remote system with a random name that it used to register itself in WIN.INI file (see above). Then the worm deletes WIN.INI file and renames WIN.HAI file as WIN.INI.
When a remote system is restarted the worm gets activated from 'RUN=' command. This however only happens on Win9x systems as on NT-based systems WIN.INI file is not used to start files on bootup. After infecting a remote system the infection thread terminates and IP scanning thread keeps scanning for valid IP addresses.
)
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
- Award-winning antivirus and malware protection
- Online browsing, banking, and shopping protection
- 24/7 online identity and data breach monitoring
- Unlimited VPN service to safeguard your privacy
- Password manager with private data protection
More Support
Community
Ask questions in our Community .
User Guides
Check the user guide for instructions.
Submit a Sample
Submit a file or URL for analysis.