Home / malware Worm:Win32/Hamweq!inf
First posted on 16 March 2009.
Source: SecurityHomeAliases :
There are no other names known for Worm:Win32/Hamweq!inf.
Explanation :
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Symptoms
System ChangesThe following system changes may indicate the presence of Worm:Win32/Hamweq.A:Presence of the following files:
RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013isee.exe
RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013ise.exe
RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013ise32.exe
RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013iuhx32.exePresence of the following registry modification (for example):
Under key: HKLMSoftwareMicrosoftActive SetupInstalled Components<class id>
Adds value: StubPath
With data: "c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013<filename>"
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Installation
When executed, Worm:Win32/Hamweq injects code into the explorer.exe process, which then copies Hamweq’s executable to the RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013 directory. At the time of publication, we had observed the following filenames being used for this copy:isee.exe ise.exe ise32.exe iuhx32.exe It also creates a harmless text file named 'Desktop.ini' in the same directory. It may attempt to delete older versions of itself if these are present on the affected machine. It also creates the following registry entry: Under key: HKLMSoftwareMicrosoftActive SetupInstalled Components<class id>
Adds value: StubPath
With data: "c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013<filename>" For example, the entry created by one variant is as follows: Under key: HKLMSoftwareMicrosoftActive SetupInstalled Components{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}
Adds value: StubPath
With data: "c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013isee.exe"
It uses a mutex such as “asd-+094997” to ensure that no more than one copy runs at a time.Spreads Via…Removable Drives
Worm:Win32/Hamweq periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than in the A: or B: drive), it copies itself to this drive as a hidden system file in the RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013 directory. It uses the same filename as that previously used for its copy on the local hard disk. It also creates a file called 'Desktop.ini' in the same directory, and an autorun.inf file in the root directory of the removable drive. The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf. Once the infection of the drive is complete, it sends a notification message to the backdoor’s controller (see Payload section below for additional detail).
Payload
Backdoor FunctionalityOnce installed, the worm attempts to connect to an IRC server. At the time of publication, the worm had been observed contacting the following servers:tassweq.com lebanonbt.info crank.dontexist.com The backdoor’s controller may request that it perform the following activities:download and execute arbitrary files launch (or halt) flooding attacks against a specified server
Analysis by David WoodLast update 16 March 2009
