|Type||Computer Worm, RAT|
|Short Description||H-worm is a VBS-based worm with RAT functionalities that can be employed in targeted attacks and spam campaigns.|
|Symptoms||The worm can be spread to steal sensitive data.|
|Distribution Method||Corrupted links, spam emails, a corrupted VBS file.|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected By H-worm|
A Computer worm is a malicious piece of software that should be removed instantly from the infected PC. H-worm falls under the category of VBS (Visual Basic Script) worms. It is also reported to have RAT (remote access Trojan) capabilities which make it even worse. The name ‘H-worm’ comes from the worm’s author – an individual hacker going by the nickname Houdini. According to security researchers at FireEye, the hacker is most likely based in Algeria.
The H-worm has been used primarily in targeted attacks on companies in the energy sector. However, it has been spotted in other types of attacks via email attachments and corrupted links.
H-worm Technical Description. RAT and Command & Control Server
The H-worm attacks starts off with a simple VBS file that may be hidden in a PE executable dropper. According to research, in specific attacks, multiple layers of obfuscation can be added to the worm. Upon analyzing such fragments, researchers at FireEye discovered that they were baffled with:
- Custom Base64 encoding.
- Several levels of standard Base64 encoding known as Safa Crypter.
- Character substitutions.
The H-worm is reported to have another, Autoit version known as the ‘underworld’ variant. However, it has the functions of the VBS type.
In terms of the successful Command&Control contact, the worm will generate a network telemetry (beacon). As a result, multiple pieces of sensitive identification details will be sent out in the User-Agent field.
Additionally, H-worm is designed to employ multiple remote commands such as:
Researchers at FireEye have also uncovered the builder and the controller interface of H-worm. It control panel is written in the Delphi programming language. Delphi is an IDE (Integrated Development Environment) for console, desktop, web and mobile applications.
Some of the worm’s malicious features such as the password grabber and the USB spreading functionality were not enabled in the analyzed version. However, those can be active in newer variants of H-worm.
An examination of the infrastructure of the Command&Control server unveils that it is shared by some infamous RATs (Remote Access Trojans) such as:
→NjW0rm, NjRat/LV, XtremeRAT, PoisonIvy
The cyber criminals who have written those probably own a lot more RATs to initiate multiple malicious attacks. Security specialists believe that H-worm shares the same code base with njq8. It remains unclear exactly how related they are, but it is easy to assume that njq8 is a group of people specializing in the development of RATs.
Who Is H-worm’s Creator Houdini?
A vast security research on Houdini indicates that the hacker has a portal to showcase his work that also hosts a demo video of H-worm. The way the portal was written reveals that the hacker is proficient in French and Arabic, hence the conclusion he was from Algeria.
What to Do If Affected by H-Worm?
Many worms exploit network vulnerabilities to spread across the Web. A spamming technique may also be employed. To increase your system’s strength against malware, it is highly recommended to sustain a powerful anti-malware program. Additionally, inserting unknown and unchecked USB drives and external media is also considered quite unsafe.
There are several more security tips to follow in order to stay protected against worms and RATs:
- Choose a secure ISP (Internet Service Provider).
- Enable automatic Windows updates.
- Enable the Windows Firewall.
- Update your browser to bypass zero-day attacks.
- Backup your data.
- Avoid p2p file sharing.
If you feel like you need to know more about worms and RATs, you can refer to our article about the most popular Trojan attacks in 2015 .