Win32/Hamweq [Threat Name] go to Threat

Win32/Hamweq.A [Threat Variant Name]

Category worm
Size 13568 B
Aliases Worm:Win32/Hamweq.A (Microsoft)
  W32.IRCBot (Symantec)
  Backdoor.Hamweq.M (BitDefender)
Short description

Win32/Hamweq.A is a worm that spreads via removable media. The file is run-time compressed using RLPack .


When executed, the worm copies itself into the following location:

  • C:\­RESTORE\­k-1-3542-4232123213-7676767-8888886\­Wins32.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Active Setup\­Installed Components\­{67KLN5J0-4OPM-00WE-AAX5-77EF1D187563}]
    • "StubPath" = "C:\­RESTORE\­k-1-3542-4232123213-7676767-8888886\­Wins32.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "FIREWALL SERVICE" = "C:\­RESTORE\­k-1-3542-4232123213-7676767-8888886\­Wins32.exe"

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Spreading on removable media

Win32/Hamweq.A is a worm that spreads via removable media.

The worm copies itself to the following location:

  • %drive%\­RESTORE\­k-1-3542-4232123213-7676767-8888886\­Wins32.exe

The worm creates the following files:

  • %drive%\­RESTORE\­k-1-3542-4232123213-7676767-8888886\­Desktop.ini
  • %drive%\­Autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (2) addresses. The IRC protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

Please enable Javascript to ensure correct displaying of this content and refresh this page.