Worm:Win32/Hamweq.C

Worm:Win32/Hamweq.C is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.

When executed, Worm:Win32/Hamweq.C injects code into the explorer.exe process, which then copies Hamweq’s executable to \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe.

It also creates a harmless text file named 'Desktop.ini' in the same directory.

 

It may attempt to delete older versions of itself if these are present on the affected machine.

 

It also creates the following registry entry:

 

Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe" 

 

Removable Drives
Worm:Win32/Hamweq.C periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than in the A: or B: drive), it copies itself to this drive as a hidden system file to \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe. It also creates a file called 'Desktop.ini' in the same directory, and an autorun.inf file in the root directory of the removable drive.

 

The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf.

 

Once the infection of the drive is complete, it sends a notification message to the backdoor’s controller (see Payload section below for additional detail).

Once installed, the worm attempts to connect to an IRC server at nadnadzzz.info. The worm's controller may then request that it perform the following activities: