Hamweq worm sliced by Microsoft's MSRT

Hamweq makes it on MSRT’s list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of encrypted strings it uses, into […]

Hamweq makes it on MSRT’s list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of encrypted strings it uses, into explorer.exe process, meaning it’ll not be shown separately on any list of running processes, and may also give it network access through any firewall that might be installed. Some Hamweq variants may also participate in DDoS. It also creates an autorun.inf file on drive, containing an option to “Open folder to view files. When drive’s attached to another system, autoplay dialog will display two options: One of these display drive in Windows Explorer, whilst other run malware. If malware is launched from a removable drive, it also opens Windows Explorer, so users may not be able to spot the difference between two options. To reduce effectiveness of these worms, ensure that autorun content is not displayed in autoplay dialog when removable or network drives are attached. For Windows 7, this’s the default behavior, for earlier Windows versions, you can follow instructions KB971029. Alternatively, for Windows Vista or later, you can disable autoplay completely, or for particular types of media, via “Hardware and Sound” section of Control Panel.