Win32/Wapomi [Threat Name] go to Threat

Win32/Wapomi.E [Threat Variant Name]

Category virus
Size 92672 B
Detection created Jun 29, 2010
Detection database version 5238
Aliases Worm.Win32.Qvod.akg (Kaspersky)
  Virus:Win32/Jadtre.gen!A (Microsoft)
  W32.Wapomi.B (Symantec)
Short description

Win32/Wapomi.E is a file infector. The virus tries to download and execute several files from the Internet.

Installation

When executed, the virus creates the following files:

  • %system%\­drivers\­%random%.sys

A string with variable content is used instead of %random% .


Installs the following system drivers:

  • %system%\­drivers\­%random%.sys

The following services are disabled:

  • AppMgmt (appmgmts.dll)
  • BITS (qmgr.dll)
  • Browser (browser.dll)
  • CryptSvc (cryptsvc.dll)
  • EventSystem (es.dll)
  • FastUserSwitchingCompatibility (shsvcs.dll)
  • Netman (netman.dll)
  • Nla (mswsock.dll)
  • Ntmssvc (ntmssvc.dll)
  • RemoteRegistry (regsvc.dll)
  • Schedule (schedsvc.dll)
  • SSDPSRV (ssdpsrv.dll)
  • Tapisrv (tapisrv.dll)
  • WmdmPmSN (mspmsnsv.dll)
  • xmlprov (xmlprov.dll)

The virus attempts to replace the following files with a copy of itself:

  • %system%\­appmgmts.dll
  • %system%\­browser.dll
  • %system%\­cryptsvc.dll
  • %system%\­es.dll
  • %system%\­mspmsnsv.dll
  • %system%\­mswsock.dll
  • %system%\­netman.dll
  • %system%\­ntmssvc.dll
  • %system%\­qmgr.dll
  • %system%\­regsvc.dll
  • %system%\­schedsvc.dll
  • %system%\­shsvcs.dll
  • %system%\­ssdpsrv.dll
  • %system%\­tapisrv.dll
  • %system%\­xmlprov.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%stoppedservicename%]
  • "Start" = 2
File infection

Win32/Wapomi.E is a file infector.


The virus infects .exe files including .exe files in RAR archives.


It also infects files stored on removable and network drives.


It avoids files which contain any of the following strings in their path:

  • Common Files
  • ComPlus Applications
  • Documents and Settings
  • InstallShield Installation Information
  • Internet Explorer
  • Messenger
  • Microsoft Frontpage
  • Movie Maker
  • MSN Gaming Zone
  • NetMeeting
  • Outlook Express
  • RECYCLER
  • System Volume Information
  • Thunder
  • Thunder Network
  • WINDOWS
  • Windows Media Player
  • Windows NT
  • WindowsUpdate
  • WinNT
  • WinRAR

Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 92672 B .

Spreading on removable media

The virus copies itself to the following location:

  • %drive%\­recycle.{645FF040-5081-101B-9F08-00AA002F954E}\­install.exe

The virus creates the following file:

  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the virus ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The virus searches for various shared folders.


It tries to place a copy of itself into the folders.


The following usernames are used:

  • Administrator
  • Guest
  • admin
  • Root

The following passwords are used:

  • 0
  • 1
  • 7
  • 12
  • 110
  • 111
  • 123
  • 520
  • 1111
  • 1234
  • 1313
  • 2002
  • 2003
  • 2112
  • 2600
  • 5150
  • 6969
  • 7777
  • 12345
  • 54321
  • 111111
  • 121212
  • 123123
  • 123456
  • 654321
  • 901100
  • 1234567
  • 5201314
  • 11111111
  • 12345678
  • 88888888
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • baseball
  • ccc
  • computer
  • database
  • enable
  • fish
  • fuck
  • fuckyou
  • god
  • godblessyou
  • golf
  • harley
  • home
  • ihavenopass
  • letmein
  • login
  • Login
  • love
  • mustang
  • mypass
  • mypass123
  • mypc
  • mypc123
  • owner
  • pass
  • passwd
  • password
  • pat
  • patrick
  • pc
  • pussy
  • pw
  • pw123
  • pwd
  • qq520
  • qwer
  • qwerty
  • root
  • server
  • sex
  • shadow
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv

The following filename is used:

  • %variable%.exe

A string with variable content is used instead of %variable% .


The virus schedules a task that causes the following file to be executed repeatedly:

  • %variable%.exe
Other information

The following programs are terminated:

  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360se.exe
  • 360SoftMgrSvc.exe
  • 360SoftMgrSvc.exe
  • 360speedld.exe
  • 360tray.exe
  • 360tray.exe
  • afwServ.exe
  • ast.exe
  • AvastUI.exe
  • avcenter.exe
  • avfwsvc.exe
  • avgnt.exe
  • avgnt.exe
  • avguard.exe
  • avguard.exe
  • avguard.exe
  • avmailc.exe
  • avp.exe
  • avshadow.exe
  • avwebgrd.exe
  • avwebgrd.exe
  • bdagent.exe
  • CCenter.exe
  • ccSvcHst.exe
  • đŮŞ┤╣Ąż▀.exe
  • dwengine.exe
  • egui.exe
  • ekrn.exe
  • FilMsg.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • krnl360svc.exe
  • ksmgui.e
  • ksmsvc.exe
  • kswebshield.exe
  • KVMonXP.kxp
  • KVSrvXP.exe
  • kwatch.exe
  • livesrv.exe
  • Mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • Mcods.exe
  • McProxy.exe
  • McSACore.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • MPMon.exe
  • MPSVC.exe
  • MPSVC1.exe
  • MPSVC2.exe
  • msksrver.exe
  • qutmserv.exe
  • RavMonD.exe
  • RavTask.exe
  • RsAgent.exe
  • rsnetsvr.exe
  • RsTray.exe
  • safeboxTray.exe
  • ScanFrm.exe
  • sched.exe
  • sched.exe
  • sched.exe
  • seccenter.exe
  • SfCtlCom.exe
  • spideragent.exe
  • SpIDerMl.exe
  • spiderntexe
  • spiderui.exe
  • TMBMSRV.exe
  • TmProxy.exe
  • Twister.exe
  • UfSeAgntexe
  • vsserv.exe
  • zhudongfangyu.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360hotfix.exe]
    • "Debugger"  = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rp.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rpt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safe.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safebox.exe
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360sd.exe]
    • "Debugger " =  "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360se.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360SoftMgrSvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360speedld.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­afwServ.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ast.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AvastUI.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avcenter.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avfwsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgnt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avmailc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avshadow.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avwebgrd.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CCenter.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­dwengine.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ekrn.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FilMsg.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kavstart.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kissvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kmailmon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfw32.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfwsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­krnl360svc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ksmgui.e]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ksmsvc.exe]"
    • Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kswebshield.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVMonXP.kxp]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVSrvXP.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kwatch.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­livesrv.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcagent.exe]"
    • Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcmscsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McNASvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcods.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McProxy.exe]
    • Debugger"= "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McSACore.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcshield.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsysmon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcvsshld.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpfSrv.exe]"
    • Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPMon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC1.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC2.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msksrver.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­qutmserv.exe]
    • "Debugger" "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavTask.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsAgent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsnetsvr.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safeboxTray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ScanFrm.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sched.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­seccenter.exe]
    • "Debugger" ="ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SfCtlCom.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spideragent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SpIDerMl.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spidernt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spiderui.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TMBMSRV.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TmProxy.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Twister.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­UfSeAgnt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vsserv.exe]
    • "Debugger" "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zhudongfangyu.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­đŮŞ┤╣Ąż▀.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%process%]
    • "Debugger" = "ntsd -d"

The modified Registry entries will prevent specific files from being executed.


Win32/Wapomi.E is a virus which tries to download other malware from the Internet.


The virus contains a list of URLs. It tries to download several files from the addresses. The HTTP protocol is used.


The downloaded files contain encrypted executables.


These are stored in the following locations:

  • %temp%\­%random%.rar
  • %temp%\­%random%.exe

After decryption, the virus runs these files.


A string with variable content is used instead of %random% .


The virus modifies the following file:

  • %system%\­drivers\­etc\­hosts

Win32/Wapomi.E is a virus that spreads by exploiting a vulnerability in Server Service . This vulnerability is described in CVE-2008-4250 .


The virus opens the following URLs in Internet Explorer :

  • http://208.98.24.254:8080/mac.htm?108

Please enable Javascript to ensure correct displaying of this content and refresh this page.