This month, Worm:Win32/Hamweq has been added to the Malicious Software Removal Tool (MSRT) in time for the holidays. Hamweq makes it on to MSRT’s “naughty” list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of the encrypted strings it uses, into the explorer.exe process. This means it will not be shown separately on any list of running processes, and may also give it network access through any firewall that might be installed.
Hamweq periodically checks whether a removable drive has been attached, and if so, will copy itself to that drive, again using a directory that it disguises as a recycle bin. It also creates an autorun.inf file on the drive, containing an option to “Open folder to view files.” This means that when the drive is subsequently attached to another system, the autoplay dialog will display two options that have this description. One of these will display the drive in Windows Explorer, whilst the other will run the malware. If the malware is launched from a removable drive, it also opens Windows Explorer, so users may not be able to spot the difference between the two options.
The worm connects to an IRC server – this allows the backdoor’s controllers to give the gift of more malware, as the server may order Hamweq to download and execute whatever files they see fit to install on the machine. Some variants of Hamweq may also be ordered to participate in Distributed Denial of Service attacks.
Microsoft’s latest Security Intelligence Report lists Hamweq as the second most prevalent distinct worm family reported by Forefront, our enterprise antivirus solution. Worms that spread via network shares or via removable drives tend to have large numbers of reports in the corporate environments, as these environments are usually highly networked, and because removable drives such as USB memory sticks are used often. Win32/Taterf, in spite of its payload being a password stealer for a number of different predominantly Chinese-language-based online role playing games, is another worm that is particularly prevalent in corporate environments worldwide (third most reported worm family by Forefront), regardless of the region, and the fact that most corporations would not have these games installed on their systems. Taterf, which is consistently one of the highest reported threats by MSRT, was found in high numbers in diverse regions such as Brazil, France, Russia, and South Africa.
You can reduce the effectiveness of these types of worms by ensuring that autorun content is not displayed in the autoplay dialog when removable or network drives are attached. For Windows 7, this is the default behavior (see: http://blogs.technet.com/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx). If you have an earlier version of Windows that is not already configured in this way, you can follow the instructions at: http://support.microsoft.com/kb/971029. Alternatively, for Windows Vista or later, you can disable autoplay completely, or for particular types of media, via the “Hardware and Sound” section of the Control Panel.