My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Hamweq.Z

MEDIUM
MEDIUM
88.853 Bytes
(Trojan.Win32.Buzus,W32.Pilleuz,Win32:Floot-J)

Symptoms

Presence of the file “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe
Presence of the registry keys mentioned below.


 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

When first ran, the malware creates the directory “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451” where it copies itself under the name "games.exe" and drops a file named  “Desktop.ini” which makes the directory appear as Recycle Bin if opened in explorer.

To assure it runs, creates the following registry key:
Taskman “ in “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “Shell” in ”SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “games” in “Software\Microsoft\Windows\CurrentVersion\Run”, all of then pointing to the   the “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe”

After this, the malware injects its code in the memory space of the "explorer.exe" process trying to hide its malicious behavior.

Now it communicates with a malicious server by creating a new connection trough port 8800 to games.freeps3[removed].biz sending and receiving command, executing them on the infected machine.

It has the capabilities to steal user information, to send mails,initiate syn attacks, download and execute new malware.