Worm Hamweq

Original issue date: October 21, 2008

Worm:Win32/Hamweq is a worm that spreads via removable drives, such as USB memory sticks. This Bot contains an IRC-based backdoor, which may be used by a remote attacker to order the affected machine to participate in Distributed Denial of Service attacks, or to download and execute arbitrary files.

Aliases:

Win32:Trojan-gen (Avast) ,Klone.W (AVG (GriSoft)), TR/Crypt.XPACK.Gen(Avira) Backdoor.Hamweq.A(BitDefender) Trojan.Kolabc.BFY(ClamAV) Mal/Generic-A (Sophos) Backdoor.IRC.Flood(Symantec), Worm.Win32.AutoRun.djd(Vba32)

Up on execution the Worm variants:

• Injects code into the explorer.exe processes.
  
  
• Creates folder \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ and drops the following files.
  
  
  • isee.exe
  • ise.exe
  • ise32.exe
  • iuhx32.exe
  • dll32.exe(identified as Worm:Win32/Hamweq.G [Microsoft])
    
    
• Creates the registry entries
  
  
  • HKLM\Software\Microsoft\Active Setup\Installed
    Components\{CLSId}\stubPath
  • HKCU\Software\Microsoft\Active Setup\Installed
    Components\{ CLSId }\stubPath
  • HKCU\Software\Microsoft\Windows\CurrentVersion\
    RUN\tester all pointing to the file
    
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\<exe name>
    
    
• Creates a mutex such as  “asd-+094997” to ensure that no more than one copy runs at a time.
  
  
• Periodically checks(every 10 seconds ) for the presence of removable drives (such as USB memory sticks). If one is found (other than in the A: or B: drive), it copies itself to this drive as a hidden system file in the \RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ directory..in addition to the above mentioned files, it also drops autorun.inf file in the root directory of the removable drive.
  
  The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using The autorun.inf file used by Hamweq is detected as Worm:Win32/Hamweq!inf.

• Attempts to connect to any the following IRCserver
  
  
  • Tas[removed].com
  • leb[removed].info
  • cra[removed]xist.com
  • [removed]mansWar.com
    
    

    One of the communications is given below(with [removed]mansWar.com )
    PASS xxxxxxxxx NICK daszve
    PASS xxxxxxxxx NICK daszve USER gjkeiu "" "bcq" :gjkeiu

In view of rapid propagation of the Hamweq worm , users are advised to implement the following countermeasures:

• Search for the malicious files created Hamweq worm and delete the same
• Search for the registry entries made by the Hamweq worm and delete the same
• Install and maintain an updated anti-virus software at gateway and desktop level
• Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities
• Exercise caution while opening emails attachments
• Install and maintain Firewall at Desktop level
• Block the IRC service and related ports ,if not required

References

http://www.microsoft.com/security/portal/Entry.aspx?
Name=Worm%3aWin32%2fHamweq.A
http://us.mcafee.com/virusInfo/default.asp?id=description&virus
_k=147256
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fHamweq.C
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fHamweq.D
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fHamweq.E
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fHamweq!inf

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003