Aliases: Win32/Yahlover.DH, Packed.Win32.Klone.bj, Trojan.Autoit, Worm:AutoIt/Renocide.gen!C, Win-Trojan/Qhost.61440.E
Variants: Win-Trojan/Midgare.229888, Trojan-Downloader.Win32.FraudLoad, Worm.Win32.AutoIt.pl, Trojan.Win32.Autoit.fi, PE_SALITY.EN

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Europe, North America
Removal: Easy
Platform: W32
Discovered: 20 Oct 2008
Damage: Medium

Characteristics: The W32.Harakit is a type of malware which is capable of using removable storage devices, weakly protected network shares, and come Instant Messaging clients as transport mechanisms. It functions by attempting to lower the security of the target machine to make it vulnerable to attack. This threat has been observed to create an unsecured backdoor in the infected computer system which can be used to compromise sensitive stored information.

More details about W32.Harakit

As with other types of malware, this particular threat uses the directory folder of the operating system to create its file traces. The W32.Harakit makes use of an executable trigger file along with at least two other support files that have three letter filenames but without any file extension. When executed it will create a new instance of its executable file in all network shares and removable storage devices. The newly created files by the W32.Harakit malware are normally accompanied by an information file which allows automatic execution of the threat once the infected network shares or drives are accessed. Corresponding entries will be created by the W32.Harakit in the Windows Registry to establish its presence in the infected machine and allow it to load on every boot up and restart.

The Windows Registry is also used to make itself hidden as well as lower security configurations of the compromised machine. The W32.Harakit makes use of its backdoor functionality to secretly connect to predetermined Internet Relay Chat channels normally controlled by the malicious author. The malicious author can use this backdoor to harvest information from the compromised machine or take control of its resources to make it function as a bot. The W32.Harakit is also capable of downloading update codes and extensions of itself. The codes for the W32.Harakit has been placed in predefined websites that the malware can access.