With the latest update to the Malicious Software Removal Tool, Microsoft is helping customers detect and remove infections produced by one of the most prevalent worms worldwide. According to statistics offered by the Redmond company, via the latest version of the Security Intelligence Report, Worm:Win32/Hamweq is the second most widespread distinct worm family, as reported by Forefront. Users can now grab MSRT and use it in order to remove Hamweq. The Malicious Software Removal Tool is a free security solution from Microsoft designed to kill only a specific group of malicious code. Users that want a fully fledged antivirus, but also free, should grab Microsoft Security Essentials 1.0.

“Hamweq makes it on to MSRT’s ‘naughty’ list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of the encrypted strings it uses, into the explorer.exe process. This means it will not be shown separately on any list of running processes, and may also give it network access through any firewall that might be installed,” a member of the Microsoft Malware Protection Center revealed.

Hamweq is designed to spread via removable drives. The worm is capable of detecting USB Flash drives connected to the computer, and infect them by using a directory masquerading as a Recycle Bin. At the same time, in order to ensure that it will spread as easily as possible, Hamweq produces an autorun.inf file on the removable drive that offers the fake “Open folder to view files” option to users connecting an infected USB to a clean machine. The “Open folder to view files” is presented under the “Install or run this program” in Windows’s autoplay dialog. Clicking it will of course launch the worm, which in its turn will compromise the new machine.

“The worm connects to an IRC server – this allows the backdoor's controllers to give the gift of more malware, as the server may order Hamweq to download and execute whatever files they see fit to install on the machine. Some variants of Hamweq may also be ordered to participate in Distributed Denial of Service attacks,” the MMPC representative added.

The Malicious Software Removal Tool is available for download here.