WORM_HAMWEQ.ZPS

This worm arrives via removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives via removable drives.

Installation

This worm drops the following copies of itself into the affected system:

• %System Root%\RELEASE\DEBUG\ghx.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following files:

• %System Root%\RELEASE\DEBUG\desKtOp.InI

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

• %System Root%\RELEASE

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{67XOR2B0-3GMC-89VV-JIJ1-32KL5R3423144}
StubPath = "%System Root%\RELEASE\DEBUG\ghx.exe"

Propagation

This worm creates the following folders in all removable drives:

• RELEASE

It drops the following copy(ies) of itself in all removable drives:

• {removable drive letter}:\RELEASE\DEBUG\ghx.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=RELEASE\DEBUG\ghx.exe

;ooooooooggggggggggggaaaaaaaaaaaaaaarrrrrrrrdddddddddd is good Guy.
action=Open folder to view files
shell\open=Open
shell\open\command=RELEASE\DEBUG\ghx.exe
shell\open\default=1

Other Details

This worm connects to the following possibly malicious URL:

• {BLOCKED}ng2.{BLOCKED}rk.biz:3211
• {BLOCKED}g2.{BLOCKED}ils.net:3211
• {BLOCKED}g2.{BLOCKED}nc.cz:3211