Aliases: PE_AGENT.MZD, Virus.Win32.Agent.am, Win-Trojan/Hoai.402710
Variants: W32/Xiaoho.worm, W32/XiaoHao.A, W32/Hoaix-A, Virus.Win32.Agent.o, Virus.Win32.Agent.ai

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, Africa, Australia, North America, Europe
Removal: Easy
Platform: W32
Discovered: 16 Aug 2007
Damage: Low

Characteristics: Computer systems which suffer from a manifestation of this malware are commonly observed to have the infection spread to all available drives. This is because the W32.Hauxi scans for the presence of all logical drives on the compromised machine and infects them. It attacks predominantly executable and hyper text markup language file types found in these drives and overwrite their contents. This routine corrupts the attacked file making them virtually unusable.

More details about W32.Hauxi

Once a vulnerable computer system is infected by this Worm, an executable file will be placed in the same directory folder location where the operating system is stored. The filename used would normally resemble a legitimate operating system executable. This executable file serves as the main trigger for the W32.Hauxi malware. On other hard drives this worm will place a copy of its executable file using another filename. The executable file will normally be accompanied by an information file which allows the W32.Hauxi to automatically execute when the infected drive is accessed. The malware will also place a text based file on the root directory of the main hard drive. All logical drives are infected by the W32.Hauxi aside from the floppy drive.

The W32.Hauxi will change its attribute to hidden using certain Windows Registry keys. The Windows Registry is also modified by the malware to attain automatic loading on computer system boot up or restart. Other types of files that are susceptible to an infection from the W32.Hauxi would include hypertext preprocessors, javaserver pages, and active server pages among others. These types of files are infected by the W32.Hauxi using an iFrame instruction which will allow the placement of a link that can redirect the Web browser to a malicious website. Executable files compromised by this Worm cannot be repaired.