Full description

Virus:	WORM/Hamweq.DD.19
Date discovered:	18/05/2011
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	22.528 Bytes
MD5 checksum:	795FB0DBBE402E6CC83DFA88A6B34C6F
VDF version:	7.11.08.60 - Wednesday, May 18, 2011
IVDF version:	7.11.08.60 - Wednesday, May 18, 2011

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Trojan.FakeAV!gen50
   • Kaspersky: Trojan.Win32.FakeAv.bgyf
   • TrendMicro: TROJ_FAKEAV.SMIH
   • Sophos: Mal/FakeAV-EA

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Registry modification

Files It copies itself to the following location:
• %recycle bin%\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe

The following file is created:

– %recycle bin%\S-1-5-21-0243556031-888888379-781863308-1343\Desktop.ini

Registry One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "sdjwe"="%recycle bin%\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Taskman"="%recycle bin%\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe"

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="explorer.exe,%recycle bin%\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe"

Backdoor Contact server:
The following:
• tf18.tefgame.com:8800

Injection – It injects itself as a remote thread into a process.

Process name:
• explorer.exe

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Andrei Ilie 開啟 2011年6月7日星期二
說明更新者 Andrei Ilie 開啟 2011年6月21日星期二

返回 . . . .

我的帳戶