W32/Hamweq.worm.a

This page shows details and results of our analysis on the malware W32/Hamweq.worm.a

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

File Information

    • MD5 - DE7167549F640D2AB96D75EE002A9136
    • SHA - 2A7893F36210F1B2776EB1BB0E59D2FE36AA2D42
    • File Size - 17949 bytes.

Aliases

    • Kaspersky - Worm.Win32.AutoRun.egk
    • Ikarus - Virus.Worm.Win32.AutoRun.dht
    • Microsoft - Worm:Win32/Hamweq.A


Minimum DAT

5890 (2010-02-12)

Updated DAT

5937 (2010-03-31)

Minimum Engine

5400.1158

File Length

varies

Description Added

2010-02-12

Description Modified

2010-02-17

Malware Proliferation

Characteristics

When executed, the worm copies itself into the following location.

    • C:\ReCYCLER\S-1-(varies)\spoolsv.exe (Hidden)

And drops the following file

    • C:\ReCYCLER\S-1-(varies)\Desktop.ini (Hidden)

The following registry values have been added to the system

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{88ABC5C0-4FCB-11BB-AAX5-81CX1C635612}\]
      "StubPath:" = "c:\ReCYCLER\S-1(varies)\spoolsv.exe"

Once the users system is compromised, The worm looks for the removable drives (eg: USB memory stick, flash drive). Once the removable drive is found, the worm spreads the copy to the following location:

    • [Removable Drive]:\ ReCYCLER\ S-1-(varies)\Spoolsv.exe (Hidden)

Also, the worm creates a hidden file "autorun.inf" in the removable drive to execute it automatically when the user inserts the infected removable drive into another computer.

When executed, the worm injects the code into explorer.exe and connects to the IP Address 124.217.[removed].112 through a remote port 6667 which is mainly used for IRC traffic. The worm performs backdoor activity to download/execute malicious files from the remote server and also it performs flooding attacks.

Symptoms

    • Presence of above mentioned files and registry keys
    • Presence of unexpected network connection to the above mentioned IP Address

Method of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants