Win32/Wapomi [Threat Name] go to Threat
Win32/Wapomi.K [Threat Variant Name]
| Category | virus |
| Size | 91949 B |
| Aliases | Worm.Win32.Qvod.ajq (Kaspersky) |
| Virus:Win32/Jadtre.gen!A (Microsoft) | |
| W32.Wapomi.B (Symantec) | |
| Win32/Wapomi.D.virus (AVG) |
Short description
Win32/Wapomi.K is a file infector. The virus tries to download and execute several files from the Internet.
Installation
When executed, the virus creates the following files:
- %system%\drivers\%random%.sys (8448 B, Win32/Wapomi.D)
A string with variable content is used instead of %random% .
Installs the following system drivers:
- %system%\drivers\%random%.sys
The following services are disabled:
- AppMgmt
- BITS
- Browser
- CryptSvc
- EventSystem
- FastUserSwitchingCompatibility
- helpsvc
- Netman
- Nla
- Ntmssvc
- RemoteRegistry
- Schedule
- SSDPSRV
- Tapisrv
- upnphost
- WmdmPmSN
- xmlprov
- %servicename%
The virus attempts to replace the following files with a copy of itself:
- %system%\appmgmts.dll
- %system%\browser.dll
- %system%\cryptsvc.dll
- %system%\es.dll
- %system%\mspmsnsv.dll
- %system%\mswsock.dll
- %system%\netman.dll
- %system%\ntmssvc.dll
- %system%\pchsvc.dll
- %system%\qmgr.dll
- %system%\regsvc.dll
- %system%\schedsvc.dll
- %system%\shsvcs.dll
- %system%\ssdpsrv.dll
- %system%\tapisrv.dll
- %system%\upnphost
- %system%\xmlprov.dll
- %system%\%servicename%.dll
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%stoppedservicename%]
- "Start" = 2
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%servicename%\Parameters]
- "ServiceDll" = "%system%\%servicename%.dll"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SW\{eec12db6-ad9c-4168-8658-b03daef417fe}\{ABD61E00-9350-47E2-A632-4438B90C6641}]
- "Service" = "%variable1%"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%variable1%]
- "Start" = 3
- "Type" = 1
- "ImagePath" = "%system%\drivers\%variable1%.sys"
The virus may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0200409]
- "ImeFile" = "%variable2%.tmp"
- "Layout Text" = "2977240C"
- "Layout File" = "kbdus.dll"
- [HKEY_CURRENT_USER\Keyboard Layout\Preload]
- "%variable3%" = "E0200409"
A string with variable content is used instead of %variable1-3% .
Instead of %servicename% , the value(s) are taken from the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
File infection
Win32/Wapomi.K is a file infector.
The virus infects .exe files including .exe files in RAR archives.
It also infects files stored on removable and network drives.
It avoids files which contain any of the following strings in their path:
- Common Files
- ComPlus Applications
- Documents and Settings
- InstallShield Installation Information
- Internet Explorer
- Messenger
- microsoft frontpage
- Movie Maker
- MSN Gaming Zone
- NetMeeting
- Outlook Express
- RECYCLER
- System Volume Information
- Thunder
- Thunder Network
- WINDOWS
- Windows Media Player
- Windows NT
- WindowsUpdate
- WinNT
- WinRAR
Files are infected by adding a new section that contains the virus .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 91949 B .
Spreading on removable media
The virus copies itself to the following location:
- %drive%\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\install.exe
The virus creates the following file:
- %drive%\autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Spreading via shared folders
The virus searches for various shared folders.
It tries to place a copy of itself into the folders.
The following usernames are used:
- admin
- Administrator
- Guest
- Root
The following passwords are used:
- 0
- 000000
- 007
- 1
- 110
- 111
- 1111
- 111111
- 11111111
- 12
- 121212
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234qwer
- 123abc
- 123asd
- 123qwe
- 1313
- 2002
- 2003
- 2112
- 2600
- 5150
- 520
- 5201314
- 54321
- 654321
- 6969
- 7777
- 88888888
- 901100
- Login
- a
- aaa
- abc
- abc123
- abcd
- admin
- admin123
- administrator
- alpha
- asdf
- baseball
- ccc
- computer
- database
- enable
- fish
- fuck
- fuckyou
- god
- godblessyou
- golf
- harley
- home
- ihavenopass
- letmein
- login
- love
- mustang
- mypass
- mypass123
- mypc
- mypc123
- owner
- pass
- passwd
- password
- pat
- patrick
- pc
- pussy
- pw
- pw123
- pwd
- qq520
- qwer
- qwerty
- root
- server
- sex
- shadow
- super
- sybase
- temp
- temp123
- test
- test123
- win
- xp
- xxx
- yxcv
- zxcv
The following filename is used:
- %variable%.exe
A string with variable content is used instead of %variable% .
The virus schedules a task that causes the following file to be executed repeatedly:
- %variable%.exe
Other information
It uses techniques common for rootkits.
The virus hides its presence in the system.
The following programs are terminated:
- 360hotfix.exe
- 360rp.exe
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360sd.exe
- 360se.exe
- 360SoftMgrSvc.exe
- 360speedld.exe
- 360tray.exe
- afwServ.exe
- agentsvr.exe
- ast.exe
- AvastUI.exe
- avcenter.exe
- avfwsvc.exe
- avgnt.exe
- avguard.exe
- avmailc.exe
- avp.exe
- avshadow.exe
- avwebgrd.exe
- avwebgrd.exe
- bdagent.exe
- CCenter.exe
- ccSvcHst.exe
- dwengine.exe
- egui.exe
- ekrn.exe
- FilMsg.exe
- kavstart.exe
- kissvc.exe
- kmailmon.exe
- kpfw32.exe
- kpfwsvc.exe
- krnl360svc.exe
- ksmgui.exe
- ksmsvc.exe
- kswebshield.exe
- KVMonXP.kxp
- KVSrvXP.exe
- kwatch.exe
- livesrv.exe
- Mcagent.exe
- mcmscsvc.exe
- McNASvc.exe
- Mcods.exe
- McProxy.exe
- McSACore.exe
- Mcshield.exe
- mcsysmon.exe
- mcvsshld.exe
- MpfSrv.exe
- MPMon.exe
- MPSVC.exe
- MPSVC1.exe
- MPSVC2.exe
- msksrver.exe
- qutmserv.exe
- RavMonD.exe
- RavTask.exe
- RsAgent.exe
- rsnetsvr.exe
- RsTray.exe
- RSTray.exe
- safeboxTray.exe
- ScanFrm.exe
- sched.exe
- seccenter.exe
- SfCtlCom.exe
- spideragent.exe
- SpIDerMl.exe
- spidernt.exe
- spiderui.exe
- TMBMSRV.exe
- TmProxy.exe
- Twister.exe
- UfSeAgnt.exe
- vsserv.exe
- zhudongfangyu.exe
- 修复工具.exe
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\修复工具.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SoftMgrSvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360se.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360speedld.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPMon.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC1.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC2.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McNASvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcagent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcods.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfCtlCom.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpIDerMl.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Twister.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UfSeAgnt.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ast.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avfwsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwengine.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmgui.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksmsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kswebshield.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qutmserv.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spideragent.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zhudongfangyu.exe]
- "Debugger" = "ntsd -d"
The modified Registry entries will prevent specific files from being executed.
Win32/Wapomi.K is a virus which tries to download other malware from the Internet.
The virus acquires data and commands from a remote computer or the Internet.
The virus contains a list of (37) URLs. It tries to download several files from the addresses. The HTTP protocol is used.
The downloaded files contain encrypted executables.
After decryption, the virus runs these files.
The virus modifies the following file:
- %system%\drivers\etc\hosts
The virus may perform DoS attacks.
Win32/Wapomi.K is a virus that spreads by exploiting a vulnerability in Server Service .
If successful, the remote computer may attempt to download the copy of the virus from the Internet. This vulnerability is described in CVE-2008-4250 .
The virus opens the following URLs in Internet Explorer :
- 3.nsb927.com/mac.htm
- 3.nse917.com/mac.htm