Home / malware Backdoor.Hamweq.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Backdoor.Hamweq.A.
Explanation :
The virus starts by decryipting a part of its code in order to resolve its imports. When that is done it searches for the process svchost.exe, injects in it and creates the mutex asd..6567fj.
After the virus code has been injected it checks if it runs from C:RecyclerD-1-5-21-1482476501-1644491937-682003330-1013autorun.exe and if doesn't it copies to that location. It then creates two threads.
The first one tries to create on every 2 seconds the following registry keys and values:
HKLMSoftwareMicrosoftActive SetupInstalled Components{08B0e5c0-4fcb-11cf-aax5-00401c608512}stubPath
HKCUSoftwareMicrosoftActive SetupInstalled Components{08B0e5c0-4fcb-11cf-aax5-00401c608512}stubPath
HKCUSoftwareMicrosoftWindowsCurrentVersionRUN ester
all pointing to the file
C:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013autorun.exe
The second one scans on every 10 seconds for removable drives and if it finds one it creates the folder
R:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013 and copies itself to the new location under the name of autorun.exe. After that, it creates a file Desktop.ini in the new created folder in which it writes
[.shellClassInfo]
CLSID={645ff040-5081-101b-9f08-00aa002f954e}
It creates an autorun.inf file in the root of the removable drive in which it writes:
[autorun]
open=R:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013autorun.exe
icon=%SystemRoot%system32SHELL32.dll,4
action=Open folder to view files
shellopen=Open
shellopencommand=RECYCLERS-1-5-21-1482476501-682003330-1013autorun.exe)
R is considered the letter of the removable drive
While the threads are running the virus starts an internet connection and attempts to connect on every 10 seconds to a list of different servers. The version analyzed has only one server and one port in the list.(iams.wear[hidden].net, port 5349).
After the connection has been established it creates 3 pseudo-random strings. The first one represents the nick, the second the user and the third represents the host name.
Ex:
Nick ninaju
USER tjkufb """rwt" :tjkufb
After the commands have been sent the program waits for reply from the server. If it finds the motd in the reply it joins the #pederi channel using the key: kurcevtest.
In order to not be disconnected by the server the bot automaticly replies to PING message with PONG. It also checks if there's a 433 reply (bad nick name) from the server and generates a new pseuda-roandom string in order to change its nick.
The ircbot acts also as a backdoor.The commands are sent by private messaging the bot.When the PRIVMSG string has been found in the buffer received by the bot it checks to see if the user sending the message doesn't end with @fbi.gov. If it's not it checks to see if the command received is one of the following:
v : replyes with beta_test_v0.1
q : disconnects from the server and after 10 seconds tries to reconnect.
d : the bot ends its execution
rem : the bot ends its execution and deletes the file
fstop : stops the flooding
s : probably from silent. If the argument of the command is different from "0" the bot sends information back to the user who sent the command.
j : joins a channel
p : exits a channell
dl : download a specified file (using the user-agent Mozilla) with the posibility to execute the file
udp : the boot will start an udp flooding
syn : the boot will start a syn floodingLast update 21 November 2011
