| Hamweq_2 is a Worm. Worms spread from computer to computer, making copies of themselves over the network. They could spread over email, IM, peer-to-peer networks, or directly over the wire by leveraging vulnerabilities. Hamweq_2 is compressed using the PE_PATCH executable packer and its file size is 115,200 bytes. This malware is written in Borland Delphi. It uses the network connection: - Connects to "lamer.mqbol.com" on port 3935 (TCP).
- Sends data stream (12 bytes) to remote address "lamer.mqbol.com", port 3935.
- Connects to IRC Server.
Hamweq_2 drops the following files on the hard drive: - \Desktop.ini (62 bytes)
- C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\sweet.exe (115200 bytes)
It creates the following mutex to ensure only one instance is running: VrX-1 1_3. It also attempts to acquire the "SeDebugPrivilege" privileges, monitors the list of running processes.
|
