My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Hamweq.A

MEDIUM
MEDIUM
approx 14000 bytes

Symptoms

Presence of C:\autorun.inf file

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:

The virus starts by decryipting a part of its code in order to resolve its imports. When that is done it searches for the process svchost.exe, injects in it and creates the mutex asd..6567fj.
After the virus code has been injected it checks if it runs from C:\Recycler\D-1-5-21-1482476501-1644491937-682003330-1013\autorun.exe and if doesn't it copies to that location. It then creates two threads.

The first one tries to create on every 2 seconds the following registry keys and values:
HKLM\Software\Microsoft\Active Setup\Installed Components\{08B0e5c0-4fcb-11cf-aax5-00401c608512}\stubPath
HKCU\Software\Microsoft\Active Setup\Installed Components\{08B0e5c0-4fcb-11cf-aax5-00401c608512}\stubPath
HKCU\Software\Microsoft\Windows\CurrentVersion\RUN\tester

all pointing to the file
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\autorun.exe

The second one scans on every 10 seconds for removable drives and if it finds one it creates the folder
R:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ and copies itself to the new location under the name of autorun.exe. After that, it creates a file Desktop.ini in the new created folder in which it writes
[.shellClassInfo]
CLSID={645ff040-5081-101b-9f08-00aa002f954e}

It creates an autorun.inf file in the root of the removable drive in which it writes:
[autorun]
open=R:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\autorun.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-682003330-1013\autorun.exe)

R is considered the letter of the removable drive

While the threads are running the virus starts an internet connection and attempts to connect on every 10 seconds to a list of different servers. The version analyzed has only one server and one port in the list.(iams.wear[hidden].net, port 5349).
After the connection has been established it creates 3 pseudo-random strings. The first one represents the nick, the second the user and the third represents the host name.
Ex:
Nick ninaju \r\n
USER tjkufb \"\"\"rwt\" :tjkufb \r\n

After the commands have been sent the program waits for reply from the server. If it finds the motd in the reply it joins the #pederi channel using the key: kurcevtest.
In order to not be disconnected by the server the bot automaticly replies to PING message with PONG. It also checks if there's a 433 reply (bad nick name) from the server and generates a new pseuda-roandom string in order to change its nick.

The ircbot acts also as a backdoor.The commands are sent by private messaging the bot.When the PRIVMSG string has been found in the buffer received by the bot it checks to see if the user sending the message doesn't end with @fbi.gov. If it's not it checks to see if the command received is one of the following:

v : replyes with beta_test_v0.1
q : disconnects from the server and after 10 seconds tries to reconnect.
d : the bot ends its execution
rem : the bot ends its execution and deletes the file
fstop : stops the flooding
s : probably from silent. If the argument of the command is different from "0" the bot sends information back to the user who sent the command.
j : joins a channel
p : exits a channell
dl : download a specified file (using the user-agent Mozilla) with the posibility to execute the file
udp : the boot will start an udp flooding
syn : the boot will start a syn flooding