Home / malwarePDF  

Worm:Win32/Hamweq.E


First posted on 15 December 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Hamweq.E is also known as Trojan-DDoS.Win32.Agent.bs (Kaspersky), W32/Smalltroj.EMMO (Norman), Win32/AutoRun.OA (ESET), W32/Sdbot.worm.gen.cc (McAfee), Backdoor.IRC.Bot (Symantec), TROJ_DELF.DLI (Trend Micro).

Explanation :

Win32/Hamweq.E is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Top

Win32/Hamweq.E is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.Installation When executed, Worm:Win32/Hamweq.E injects code into the "explorer.exe" process, which then copies Hamweq€™s executable as a hidden system file as the following: c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe. It also creates a text file named "Desktop.ini" in the same directory, which makes the directory appear as a recycle bin in Windows Explorer. If the executable is being copied from a removable drive, it will open a Window Explorer window displaying the contents of that drive. It may attempt to delete older versions of itself if these are present. It also creates the following registry entry: Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\{88ABC5C0-4FCB-11BB-AAX5-81CX1C635612}
Adds Value: "StubPath" With data: "c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe" Spreads via€¦ Removable drives Worm:Win32/Hamweq.E periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than the A: or B: drive), it will copy itself to this drive as a hidden system file to <targeted drive>:\<recyclebin>\spoolsv.exe. It also creates a file called "Desktop.ini" in the same directory, and an "autorun.inf" file in the root directory of the removable drive. Once the infection of the drive has been completed, it will send a message to the backdoor€™s controller (see below) advising that it has done so. Payload Allows backdoor access and control Once installed, the worm attempts to connect via port 6667 to an IRC Server at IP address 124.217.248.112. The backdoor€™s controller may request that it perform the following activities:

  • download and execute arbitrary files
  • launch (or halt) flooding attacks against a specified server
  • Variants of Win32/Hamweq have been observed being requested to download and execute variants of the Win32/Rimecud family, which were saved to the %userprofile% directory (eg \documents and settings\).

    Analysis by Vincent Tiu and David Wood

    Last update 15 December 2009

     

    TOP