Win32/Wapomi [Threat Name] go to Threat

Win32/Wapomi.K [Threat Variant Name]

Category virus
Size 91949 B
Detection created Aug 29, 2010
Detection database version 10317
Aliases Worm.Win32.Qvod.ajq (Kaspersky)
  Virus:Win32/Jadtre.gen!A (Microsoft)
  W32.Wapomi.B (Symantec)
  Win32/Wapomi.D.virus (AVG)
Short description

Win32/Wapomi.K is a file infector. The virus tries to download and execute several files from the Internet.


Installation

When executed, the virus creates the following files:

  • %system%\­drivers\­%random%.sys (8448 B, Win32/Wapomi.D)

A string with variable content is used instead of %random% .


Installs the following system drivers:

  • %system%\­drivers\­%random%.sys

The following services are disabled:

  • AppMgmt
  • BITS
  • Browser
  • CryptSvc
  • EventSystem
  • FastUserSwitchingCompatibility
  • helpsvc
  • Netman
  • Nla
  • Ntmssvc
  • RemoteRegistry
  • Schedule
  • SSDPSRV
  • Tapisrv
  • upnphost
  • WmdmPmSN
  • xmlprov
  • %servicename%

The virus attempts to replace the following files with a copy of itself:

  • %system%\­appmgmts.dll
  • %system%\­browser.dll
  • %system%\­cryptsvc.dll
  • %system%\­es.dll
  • %system%\­mspmsnsv.dll
  • %system%\­mswsock.dll
  • %system%\­netman.dll
  • %system%\­ntmssvc.dll
  • %system%\­pchsvc.dll
  • %system%\­qmgr.dll
  • %system%\­regsvc.dll
  • %system%\­schedsvc.dll
  • %system%\­shsvcs.dll
  • %system%\­ssdpsrv.dll
  • %system%\­tapisrv.dll
  • %system%\­upnphost
  • %system%\­xmlprov.dll
  • %system%\­%servicename%.dll

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%stoppedservicename%]
  • "Start" = 2
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%servicename%\­Parameters]
    • "ServiceDll" = "%system%\­%servicename%.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­SW\­{eec12db6-ad9c-4168-8658-b03daef417fe}\­{ABD61E00-9350-47E2-A632-4438B90C6641}]
    • "Service" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%variable1%]
    • "Start" = 3
    • "Type" = 1
    • "ImagePath" = "%system%\­drivers\­%variable1%.sys"

The virus may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­Keyboard Layouts\­E0200409]
    • "ImeFile" = "%variable2%.tmp"
    • "Layout Text" = "2977240C"
    • "Layout File" = "kbdus.dll"
  • [HKEY_CURRENT_USER\­Keyboard Layout\­Preload]
    • "%variable3%" = "E0200409"

A string with variable content is used instead of %variable1-3% .


Instead of %servicename% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost\­netsvcs]
File infection

Win32/Wapomi.K is a file infector.


The virus infects .exe files including .exe files in RAR archives.


It also infects files stored on removable and network drives.


It avoids files which contain any of the following strings in their path:

  • Common Files
  • ComPlus Applications
  • Documents and Settings
  • InstallShield Installation Information
  • Internet Explorer
  • Messenger
  • microsoft frontpage
  • Movie Maker
  • MSN Gaming Zone
  • NetMeeting
  • Outlook Express
  • RECYCLER
  • System Volume Information
  • Thunder
  • Thunder Network
  • WINDOWS
  • Windows Media Player
  • Windows NT
  • WindowsUpdate
  • WinNT
  • WinRAR

Files are infected by adding a new section that contains the virus .


The host file is modified in a way that causes the virus to be executed prior to running the original code.


The size of the inserted code is 91949 B .

Spreading on removable media

The virus copies itself to the following location:

  • %drive%\­recycle.{645FF040-5081-101B-9F08-00AA002F954E}\­install.exe

The virus creates the following file:

  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the virus ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The virus searches for various shared folders.


It tries to place a copy of itself into the folders.


The following usernames are used:

  • admin
  • Administrator
  • Guest
  • Root

The following passwords are used:

  • 0
  • 000000
  • 007
  • 1
  • 110
  • 111
  • 1111
  • 111111
  • 11111111
  • 12
  • 121212
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1313
  • 2002
  • 2003
  • 2112
  • 2600
  • 5150
  • 520
  • 5201314
  • 54321
  • 654321
  • 6969
  • 7777
  • 88888888
  • 901100
  • Login
  • a
  • aaa
  • abc
  • abc123
  • abcd
  • admin
  • admin123
  • administrator
  • alpha
  • asdf
  • baseball
  • ccc
  • computer
  • database
  • enable
  • fish
  • fuck
  • fuckyou
  • god
  • godblessyou
  • golf
  • harley
  • home
  • ihavenopass
  • letmein
  • login
  • love
  • mustang
  • mypass
  • mypass123
  • mypc
  • mypc123
  • owner
  • pass
  • passwd
  • password
  • pat
  • patrick
  • pc
  • pussy
  • pw
  • pw123
  • pwd
  • qq520
  • qwer
  • qwerty
  • root
  • server
  • sex
  • shadow
  • super
  • sybase
  • temp
  • temp123
  • test
  • test123
  • win
  • xp
  • xxx
  • yxcv
  • zxcv

The following filename is used:

  • %variable%.exe

A string with variable content is used instead of %variable% .


The virus schedules a task that causes the following file to be executed repeatedly:

  • %variable%.exe
Other information

It uses techniques common for rootkits.


The virus hides its presence in the system.


The following programs are terminated:

  • 360hotfix.exe
  • 360rp.exe
  • 360rpt.exe
  • 360safe.exe
  • 360safebox.exe
  • 360sd.exe
  • 360se.exe
  • 360SoftMgrSvc.exe
  • 360speedld.exe
  • 360tray.exe
  • afwServ.exe
  • agentsvr.exe
  • ast.exe
  • AvastUI.exe
  • avcenter.exe
  • avfwsvc.exe
  • avgnt.exe
  • avguard.exe
  • avmailc.exe
  • avp.exe
  • avshadow.exe
  • avwebgrd.exe
  • avwebgrd.exe
  • bdagent.exe
  • CCenter.exe
  • ccSvcHst.exe
  • dwengine.exe
  • egui.exe
  • ekrn.exe
  • FilMsg.exe
  • kavstart.exe
  • kissvc.exe
  • kmailmon.exe
  • kpfw32.exe
  • kpfwsvc.exe
  • krnl360svc.exe
  • ksmgui.exe
  • ksmsvc.exe
  • kswebshield.exe
  • KVMonXP.kxp
  • KVSrvXP.exe
  • kwatch.exe
  • livesrv.exe
  • Mcagent.exe
  • mcmscsvc.exe
  • McNASvc.exe
  • Mcods.exe
  • McProxy.exe
  • McSACore.exe
  • Mcshield.exe
  • mcsysmon.exe
  • mcvsshld.exe
  • MpfSrv.exe
  • MPMon.exe
  • MPSVC.exe
  • MPSVC1.exe
  • MPSVC2.exe
  • msksrver.exe
  • qutmserv.exe
  • RavMonD.exe
  • RavTask.exe
  • RsAgent.exe
  • rsnetsvr.exe
  • RsTray.exe
  • RSTray.exe
  • safeboxTray.exe
  • ScanFrm.exe
  • sched.exe
  • seccenter.exe
  • SfCtlCom.exe
  • spideragent.exe
  • SpIDerMl.exe
  • spidernt.exe
  • spiderui.exe
  • TMBMSRV.exe
  • TmProxy.exe
  • Twister.exe
  • UfSeAgnt.exe
  • vsserv.exe
  • zhudongfangyu.exe
  • 修复工具.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­修复工具.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360SoftMgrSvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360hotfix.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rp.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360rpt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safe.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360safebox.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360sd.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360se.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360speedld.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360tray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AvastUI.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CCenter.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FilMsg.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVMonXP.kxp]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­KVSrvXP.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPMon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC1.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MPSVC2.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McNASvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McProxy.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­McSACore.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcagent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcods.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mcshield.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MpfSrv.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavTask.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsAgent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ScanFrm.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SfCtlCom.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SpIDerMl.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TMBMSRV.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­TmProxy.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Twister.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­UfSeAgnt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­afwServ.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ast.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avcenter.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avfwsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgnt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avguard.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avmailc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avp.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avshadow.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avwebgrd.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­bdagent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccSvcHst.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­dwengine.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­egui.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ekrn.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kavstart.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kissvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kmailmon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfw32.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kpfwsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­krnl360svc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ksmgui.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ksmsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kswebshield.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­kwatch.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­livesrv.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcmscsvc.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcsysmon.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcvsshld.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msksrver.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­qutmserv.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsnetsvr.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safeboxTray.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sched.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­seccenter.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spideragent.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spidernt.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­spiderui.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­vsserv.exe]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zhudongfangyu.exe]
    • "Debugger" = "ntsd -d"

The modified Registry entries will prevent specific files from being executed.


Win32/Wapomi.K is a virus which tries to download other malware from the Internet.


The virus acquires data and commands from a remote computer or the Internet.


The virus contains a list of (37) URLs. It tries to download several files from the addresses. The HTTP protocol is used.


The downloaded files contain encrypted executables.


After decryption, the virus runs these files.


The virus modifies the following file:

  • %system%\­drivers\­etc\­hosts

The virus may perform DoS attacks.


Win32/Wapomi.K is a virus that spreads by exploiting a vulnerability in Server Service .


If successful, the remote computer may attempt to download the copy of the virus from the Internet. This vulnerability is described in CVE-2008-4250 .


The virus opens the following URLs in Internet Explorer :

  • 3.nsb927.com/mac.htm
  • 3.nse917.com/mac.htm

Please enable Javascript to ensure correct displaying of this content and refresh this page.