Help with Worm Win32/Hamweq

[Jesus2]

Recently one of my friends Transcend 8GB pendrive was infected by a Win32/Hamweq. There were a number of recycle files and directories that would be always present in the pendrive. What exactly is this Win32/Hamweq worm? What are its symptoms and also provide some technical details about it? What major precautions can be taken to avoid this worm infecting one's syetem.

[Shen]

In case your system is being attached by the Worm: Win32/Hamweq then following directories might be present on your system:

\recycler\h-6-1-53-0976546321-090909032-8763-1337
\recycler\k-1-3542-4232123213-7676767-8888886
\config\s-1-5-21-1482476501-1644491937-682003330-1013
\recycler\s-1-5-21-5311846712-4121495154-682003330-5111
\recycle\d-0-060-0000000000-1111111-2222222
\restore\s-1-5-21-1482476501-1644491937-682003330-1013
\recycler\s-1-5-21-1254416572-1263425100-317347820-0350
\release\debug
\memory\s-v-6-2009
\setup\data
\driver\files

Another symptoms to check the presence of the worm is the presence of most of the following files or similar files:

\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\hn.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\hjec.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sndmgr.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\system.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhx32.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\autorun.exe
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\reg32.exe

Always keep your anti virus updated to detect and delete such threats. Microsoft has already listed this worm with Severe alert levels.

[Milton.J]

The Win32/Hamweq worm expends itself to other system mainly through removable media or USB drivers that includes pen drives, card reader, memory sticks, etc. The affected machine can then cause its user the Denial of Service attack. This is done by the remote attacker with the help of IRC-based backdoor contained in this worm. This will also prompt the user to download and execute unknown files. To make the the infected directory to appear as a recycle bin when viewed in the Windows Explorer the worm creates a file by the name Desktop.ini. In the infected removable media such as a pen-drive the worm creates an autorun.inf

[Spyrus]

This is very recent network worm to be detected. To prevent infection for this and other such network worms, viruses and trojans always follow the basic prevention methods first:

• Always use an anti virus program and scan any removable media before opening in on your computer.
• Also your anti virus should be updated periodically as and when the updates for the anti virus are generated by its manufacturer.
• The Windows Firewall is always to be kept enabled to not allow any malicious programs to enter your computer.
• Never to open any attachments in Spam mails or unknown emails.
• Be careful while clicking on any advertisement link in a web page.
• Stop using Pirated software programs and always update your software programs.