Home / malware Backdoor.Hamweq.Z
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Hamweq.Z is also known as Trojan.Win32.Buzus,W32.Pilleuz,Win32:Floot-J.
Explanation :
When first ran, the malware creates the directory “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1451” where it copies itself under the name "games.exe" and drops a file named “Desktop.ini” which makes the directory appear as Recycle Bin if opened in explorer.
To assure it runs, creates the following registry key:
“Taskman “ in “SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon”, “Shell” in ”SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon”, “games” in “SoftwareMicrosoftWindowsCurrentVersionRun”, all of then pointing to the the “C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1451games.exe”
After this, the malware injects its code in the memory space of the "explorer.exe" process trying to hide its malicious behavior.
Now it communicates with a malicious server by creating a new connection trough port 8800 to games.freeps3[removed].biz sending and receiving command, executing them on the infected machine.
It has the capabilities to steal user information, to send mails,initiate syn attacks, download and execute new malware.Last update 21 November 2011
