W32/Hwbot-A is a network worm with IRC backdoor functionaility.
W32/Hwbot-A is a network worm with IRC backdoor functionaility.
W32/Hwbot-A copies itself to the Windows system folder with the filename HWCLOCK.EXE and creates a service with the following characteristics so as to run itself on system startup:
Service Name: hwclock
Display Name: Hardware Clock Driver
Service Description: Enables a computer to save and restore system time information using the hardware clock. Stopping or disabling this service will result in system instability.
W32/Hwbot-A sets the following entries in the registry:
HKLM\software\microsoft\ole
enabledcom
"n"
HKLM\system\currentcontrolset\control\lsa
restrictanonymous
"1"
W32/Hwbot-A attempts to create a read-only file called DCPROMO.LOG in the DEBUG subfolder of the Windows folder to patch against certain network vulnerabilities.
W32/Hwbot-A connects to an IRC server and waits for instructions from a remote user. Possible instructions include downloading and execute further code or to spreading via network secruity exploits.
W32/Hwbot-A may attempt to inject code to delete itself into explorer.exe and may crash the infected computer during this process.