Worm:Win32/Hamweq.DD is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Installation
When executed, Win32/Hamweq injects code into the 'explorer.exe' process, which then copies Hamweq’s executable as a hidden system file to a directory such as \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013. File names used at the time of publication have included the following:
pqlmq.exe
qssmon.exe
8vse432.exe
vsofat.exe
vsexy1.exe
vse432.exe
Other examples of directories used include:
\recycler\s-1-5-21-0243636035-3055115376-381863306-1556
\recycler\s-1-5-21-0233877231-816352009-722880038-1340
\recycler\s-1-5-21-4453664231-816334009-766434223-1360
\recycler\s-1-5-21-0243336031-4052116379-881863308-0851
\recycler\s-1-5-21-0243636035-3055115376-381863306-1556
\recycler\s-1-5-21-0243936033-3052116371-381863308-1859
\recycler\s-1-5-21-0243336031-1052116379-181863308-1851
\recycler\s-1-5-21-0243336031-4052116379-881863308-0851
It also creates a text file named 'Desktop.ini'in the same directory, which makes the directory appear as a recycle bin in Windows Explorer.
If the executable is being copied from a removable drive, it opens a Windows Explorer window displaying the contents of that drive.
It may attempt to delete older versions of itself if these are present.
It also creates the following registry entry:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\<class id>\
Adds Value: StubPath
With data: "<full pathname of malware>"
It uses a mutex such as 'asd-+094997' to ensure that no more than one copy of itself runs at a time.
Spreads via…
Removable drives
Win32/Hamweq periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than the A: or B: drive), it copies itself to this drive as a hidden system file, using the same pathname as that used on the local hard disk (for example \recycler\s-1-5-21-0243336031-4052116379-881863308-0851\8vse432.exe). It also creates a file called 'Desktop.ini' in the same directory, and an 'autorun.inf' file in the root directory of the removable drive.
Once the infection of the drive has been completed, it sends a message to the backdoor’s controller (see below) advising that it has done so.
Payload
Allows backdoor access and control
Once installed, the worm attempts to connect to an IRC server. Servers observed to be used at the time of publication have included:
newss.alwaysproxy.info
orts.alwaysproxy4.info
ofat.hmarhelo.com
ports.alwaysproxy.info
jiri.alwaysproxy4.info
The backdoor’s controller may request that it perform the following activities:
Variants of Win32/Hamweq have been observed being requested to download and execute variants of the
Win32/Rimecud family, which were saved to the %userprofile% directory (for example, \documents and settings\<user name>).
Analysis by David Wood
