Worm:Win32/Hamweq.K is a worm that spreads via removable drives, such as USB memory sticks. It may also be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks.
When executed, Worm:Win32/Hamweq.K injects code into the explorer.exe process, which then copies Hamweq’s executable to <recyclebin>\sic32.exe. It also creates a harmless text file named 'Desktop.ini' in the same directory.
Worm:Win32/Hamweq.K periodically checks for the presence of removable drives (such as USB memory sticks). If one is found, it copies itself to this drive as <recyclebin>\sic32.exe. It also creates an autorun.inf file in the root directory of the removable drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf.
Distributed Denial of Service Attack
Once installed, the worm attempts to connect to IRC servers at l.sqlteam.info, nw.manswar.com or
nwnw.locop.net via port 7000. The worm's controller may then request that it launch flood attacks against a specified server
Analysis by Vincent Tiu