Aliases: W32/HLLW-Naxe, W32/Naxe, Win32.NaCopy, Worm.Naxe, WORM_NAXE.A
Variants: W32/Hayque.worm, Worm.Naxe!sd5, Worm.Win32.Naxe

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 29 Jan 2002
Damage: Low

Characteristics: According to some antivirus experts, the W32.Hayqu has been observed to place an executable file in the root directory of the main hard drive. The same executable file can be found in the floppy disk whenever one is present in the infected computer system. The floppy disk is identified as the main transport mechanism used by this malware. A run command is placed for the executable file in the initialization file of the operating system.

More details about W32.Hayqu

Based on the observations from previous instances of infections, majority of the time this malware does not contain any payload. This means that the W32.Hayqu was simply designed to jump from one computer system to another spreading its codes. The manner of infection is done mainly via the use of floppy disks and possibly majority of removable storage media types. There is also a distinct possibility that the W32.Hayqu may spread to a network environment using file shares. A computer system that suffers an infection from this threat normally would experience the frequent display of a message box stating that there is a Runtime error using the code 53 as a reference. The W32.Hayqu message box also states that the file is not found.

The title of the message box displayed by the W32.Hayqu usually uses the name Runbll which is presumably a ploy to make the alert authentic by making it look as close as possible to the RUNDLL service of the operating system. Some reports indicate that there are variants of the W32.Hayqu which have become network aware allowing them to transfer codes directly to the connected network clients. Since the W32.Hayqu does not have a destructive payload, it mostly becomes an annoyance by constantly bringing up the message box on the display screen of the infected machine.