Microsoft Malware Protection Center
This month, Worm:Win32/Hamweq has been added to the Malicious Software Removal Tool (MSRT) in time for the holidays. Hamweq makes it on to MSRT’s “naughty†list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of the encrypted strings it uses, into the explorer.exe process. This means it will not be shown separately on any list of running processes, and may also give it network access through any firewall that might be installed.
