Remove Worm win32 Hamweq !inf
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Symptoms
System Changes
The following system changes may indicate the presence of Worm:Win32/Hamweq.A:
Presence of the following files:
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
Presence of the following registry modification (for example):
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\"
Technical Information
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Installation
When executed, Worm:Win32/Hamweq injects code into the explorer.exe process, which then copies Hamweq’s executable to the \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ directory. At the time of publication, we had observed the following filenames being used for this copy:
isee.exe
ise.exe
ise32.exe
iuhx32.exe
It also creates a harmless text file named 'Desktop.ini' in the same directory.
It may attempt to delete older versions of itself if these are present on the affected machine.
It also creates the following registry entry:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\"
For example, the entry created by one variant is as follows:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe"
It uses a mutex such as “asd-+094997” to ensure that no more than one copy runs at a time.
Spreads Via…
Removable Drives
Worm:Win32/Hamweq periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than in the A: or B: drive), it copies itself to this drive as a hidden system file in the \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ directory. It uses the same filename as that previously used for its copy on the local hard disk. It also creates a file called 'Desktop.ini' in the same directory, and an autorun.inf file in the root directory of the removable drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf.
Once the infection of the drive is complete, it sends a notification message to the backdoor’s controller (see Payload section below for additional detail).
Payload
Backdoor Functionality
Once installed, the worm attempts to connect to an IRC server. At the time of publication, the worm had been observed contacting the following servers:
tassweq.com
lebanonbt.info
crank.dontexist.com
The backdoor’s controller may request that it perform the following activities:
download and execute arbitrary files
launch (or halt) flooding attacks against a specified server
Recovery Steps Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com).
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Symptoms
System Changes
The following system changes may indicate the presence of Worm:Win32/Hamweq.A:
Presence of the following files:
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
Presence of the following registry modification (for example):
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\
Technical Information
Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. It contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.
Installation
When executed, Worm:Win32/Hamweq injects code into the explorer.exe process, which then copies Hamweq’s executable to the \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ directory. At the time of publication, we had observed the following filenames being used for this copy:
isee.exe
ise.exe
ise32.exe
iuhx32.exe
It also creates a harmless text file named 'Desktop.ini' in the same directory.
It may attempt to delete older versions of itself if these are present on the affected machine.
It also creates the following registry entry:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\
For example, the entry created by one variant is as follows:
Under key: HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAX5-81C01C608512}\
Adds value: StubPath
With data: "c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe"
It uses a mutex such as “asd-+094997” to ensure that no more than one copy runs at a time.
Spreads Via…
Removable Drives
Worm:Win32/Hamweq periodically checks for the presence of removable drives (such as USB memory sticks). If one is found (other than in the A: or B: drive), it copies itself to this drive as a hidden system file in the \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ directory. It uses the same filename as that previously used for its copy on the local hard disk. It also creates a file called 'Desktop.ini' in the same directory, and an autorun.inf file in the root directory of the removable drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf.
Once the infection of the drive is complete, it sends a notification message to the backdoor’s controller (see Payload section below for additional detail).
Payload
Backdoor Functionality
Once installed, the worm attempts to connect to an IRC server. At the time of publication, the worm had been observed contacting the following servers:
tassweq.com
lebanonbt.info
crank.dontexist.com
The backdoor’s controller may request that it perform the following activities:
download and execute arbitrary files
launch (or halt) flooding attacks against a specified server
Recovery Steps Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com).
No comments:
Post a Comment