Weekly Malware Review: Backdoor.Hamweq.Z

Spreading technique: the backdoor takes either the form of an attachment to an e-mail message, or of a file downloaded directly onto the computer from a malicious or compromised website.

Upon execution, Backdoor.Hamweq.Z creates a directory“C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451” where it places a copy of itself under the name of "games.exe" and where it drops a file named “Desktop.ini” thus making the directory appear as if the Recycle Bin is open. Plus, in order to hide its malicious behavior,Backdoor.Hamweq.Z injects its code in the memory space of the"explorer.exe".

Moreover, Backdoor.Hamweq.Z creates the following registry keys:
“Taskman“in“SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon”; “Shell”in ”SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon”;“games”in“Software\Microsoft\ Windows\CurrentVersion\Run” all of them pointing to the“C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe”.

It subsequently opens a new connection on port 8800 to games.freeps3[removed].biz, that would allow a remote attacker to access the backdoor component and  to seize control over the infected machine.

Backdoors are some of the most harmful types of malware, as it gives cyber-criminals full access to the user’s computer, to the data stored on it as well as the ability to manipulate it according to their own needs (for instance, to install additional software, to export locally saved documents, to manipulate online voting from various IPs, or even to launch TCP/UDP flood attacks against Internet servers).In order to stay safe and fully enjoy your Internet experience, BitDefender recommends that you install and regularly update an anti-malware suite with anti-virus, anti-spam, anti-phishing and firewall modules.

Information in this article is available courtesy of BitDefender virusresearchers George Cabău.