WAPOMI
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Infects files, Propagates via flashdrives
WAPOMI (also known as SIMFECT) and its variants is a part of a Chinese bootkit named Guntior. It is said to target Chinese users only. It is used to gain control of the affected system and remove anything that can hinder the execution or installation of the other malware it will download.
WAPOMI variants propagate through file infection and/or removable drives. They also have the ability to terminate AV products, as well as hide their files, processes and registry entries. They may also connect to the internet to download components.
This Trojan arrives via removable drives.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs
Arrival Details
This Trojan arrives via removable drives.
Installation
This Trojan drops the following files:
- %System Root%\{random}.exe
- %System%\dmlocalsvc.dll
- %System%\{random}.sys
- {drive letter}:\autorun.inf
- %System Root%\Documents and Settings\Infotmp.txt
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)
It drops the following copies of itself into the affected system:
- {drive letter}:\recycle.{CLSID}\uninstall.exe
It creates the following folders:
- {drive letter}:\recycle.{CLSID}
Other System Modifications
This Trojan adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{exe file}
Debugger = "ntsd -d"
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network
Other Details
This Trojan connects to the following possibly malicious URL:
- www.baidu.com
- http://{BLOCKED}t.{BLOCKED}o.com/
- www.{random}.info
NOTES:
{exe file} is a list of the following:
- 360SAFE_INSTALLER.exe
- 360SoftMgrSvc.exe
- 360hotfix.exe
- 360rp.exe
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360sd.exe
- 360se.exe
- 360speedld.exe
- 360tray.exe
- AvastSvc.exe
- AvastUI.exe
- CCenter.exe
- FilMsg.exe
- KSafeSvc.exe
- KSafeTray.exe
- KVMonXP.exe
- KVMonXP.kxp
- KVSrvXP.exe
- MOBKbackup.exe
- MPMon.exe
- MPSVC.exe
- MPSVC1.exe
- MPSVC2.exe
- McNASvc.exe
- McProxy.exe
- McSACore.exe
- Mcods.exe
- Mcshield.exe
- MpfSrv.exe
- MsSvHost.exe
- QQPCAddWidget.exe
- QQPCMgr.exe
- QQPCMgr_tz_Setup.exe
- QQPCRTP.EXE
- QQPCTray.exe
- QQPCUPDATE.EXE
- QQPConfig.exe
- RavMonD.exe
- RavTask.exe
- RsAgent.exe
- RsTray.exe
- Rsmgrsvc.exe
- ScanFrm.exe
- SfCtlCom.exe
- SpIDerMl.exe
- SuperKiller.exe
- TMBMSRV.exe
- TmProxy.exe
- Twister.exe
- UfSeAgnt.exe
- V3PScan.exe
- V3SP.exe
- VPSvc.exe
- afwServ.exe
- ast.exe
- avcenter.exe
- avfwsvc.exe
- avgcsrvx.exe
- avgemc.exe
- avgnsx.exe
- avgnt.exe
- avgrsx.exe
- avgtray.exe
- avguard.exe
- avgwdsvc.exe
- avmailc.exe
- avp.exe
- avshadow.exe
- avwebgrd.exe
- bdagent.exe
- ccSvcHst.exe
- dwengine.exe
- egui.exe
- ekrn.exe
- kavstart.exe
- kissvc.exe
- kmailmon.exe
- knsd.exe
- knsdsvc.exe
- knsdtray.exe
- knsdwsc.exe
- kpfw32.exe
- kpfwsvc.exe
- kpopserver.exe
- krnl360svc.exe
- ksmgui.exe
- ksmsvc.exe
- kswebshield.exe
- kvexpert.exe
- kvol.exe
- kvxp.exe
- kwatch.exe
- kwstray.exe
- kwsupd.exe
- kxedefend.exe
- kxesapp.exe
- kxescore.exe
- kxeserv.exe
- kxetray.exe
- livesrv.exe
- mcagent.exe
- mcmscsvc.exe
- mcsysmon.exe
- mcvsshld.exe
- mfefire.exe
- mfevtps.exe
- msksrver.exe
- qutmserv.exe
- rsnetsvr.exe
- safeboxTray.exe
- sched.exe
- seccenter.exe
- spideragent.exe
- spidernt.exe
- spiderui.exe
- upsvc.exe
- vgchsvx.exe
- vsserv.exe
- zhudongfangyu.exe
- ÐÞ¸´¹¤¾ß.exe
- ÐÞ¸´¹¤¾ß.exe