WAPOMI

WAPOMI (also known as SIMFECT) and its variants is a part of a Chinese bootkit named Guntior. It is said to target Chinese users only. It is used to gain control of the affected system and remove anything that can hinder the execution or installation of the other malware it will download.

WAPOMI variants propagate through file infection and/or removable drives. They also have the ability to terminate AV products, as well as hide their files, processes and registry entries. They may also connect to the internet to download components.

This Trojan arrives via removable drives.

Arrival Details

This Trojan arrives via removable drives.

Installation

This Trojan drops the following files:

• %System Root%\{random}.exe
• %System%\dmlocalsvc.dll
• %System%\{random}.sys
• {drive letter}:\autorun.inf
• %System Root%\Documents and Settings\Infotmp.txt

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

• {drive letter}:\recycle.{CLSID}\uninstall.exe

It creates the following folders:

• {drive letter}:\recycle.{CLSID}

Other System Modifications

This Trojan adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{exe file}
Debugger = "ntsd -d"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

Other Details

This Trojan connects to the following possibly malicious URL:

• www.baidu.com
• http://{BLOCKED}t.{BLOCKED}o.com/
• www.{random}.info

NOTES:
{exe file} is a list of the following:

• 360SAFE_INSTALLER.exe
• 360SoftMgrSvc.exe
• 360hotfix.exe
• 360rp.exe
• 360rpt.exe
• 360safe.exe
• 360safebox.exe
• 360sd.exe
• 360se.exe
• 360speedld.exe
• 360tray.exe
• AvastSvc.exe
• AvastUI.exe
• CCenter.exe
• FilMsg.exe
• KSafeSvc.exe
• KSafeTray.exe
• KVMonXP.exe
• KVMonXP.kxp
• KVSrvXP.exe
• MOBKbackup.exe
• MPMon.exe
• MPSVC.exe
• MPSVC1.exe
• MPSVC2.exe
• McNASvc.exe
• McProxy.exe
• McSACore.exe
• Mcods.exe
• Mcshield.exe
• MpfSrv.exe
• MsSvHost.exe
• QQPCAddWidget.exe
• QQPCMgr.exe
• QQPCMgr_tz_Setup.exe
• QQPCRTP.EXE
• QQPCTray.exe
• QQPCUPDATE.EXE
• QQPConfig.exe
• RavMonD.exe
• RavTask.exe
• RsAgent.exe
• RsTray.exe
• Rsmgrsvc.exe
• ScanFrm.exe
• SfCtlCom.exe
• SpIDerMl.exe
• SuperKiller.exe
• TMBMSRV.exe
• TmProxy.exe
• Twister.exe
• UfSeAgnt.exe
• V3PScan.exe
• V3SP.exe
• VPSvc.exe
• afwServ.exe
• ast.exe
• avcenter.exe
• avfwsvc.exe
• avgcsrvx.exe
• avgemc.exe
• avgnsx.exe
• avgnt.exe
• avgrsx.exe
• avgtray.exe
• avguard.exe
• avgwdsvc.exe
• avmailc.exe
• avp.exe
• avshadow.exe
• avwebgrd.exe
• bdagent.exe
• ccSvcHst.exe
• dwengine.exe
• egui.exe
• ekrn.exe
• kavstart.exe
• kissvc.exe
• kmailmon.exe
• knsd.exe
• knsdsvc.exe
• knsdtray.exe
• knsdwsc.exe
• kpfw32.exe
• kpfwsvc.exe
• kpopserver.exe
• krnl360svc.exe
• ksmgui.exe
• ksmsvc.exe
• kswebshield.exe
• kvexpert.exe
• kvol.exe
• kvxp.exe
• kwatch.exe
• kwstray.exe
• kwsupd.exe
• kxedefend.exe
• kxesapp.exe
• kxescore.exe
• kxeserv.exe
• kxetray.exe
• livesrv.exe
• mcagent.exe
• mcmscsvc.exe
• mcsysmon.exe
• mcvsshld.exe
• mfefire.exe
• mfevtps.exe
• msksrver.exe
• qutmserv.exe
• rsnetsvr.exe
• safeboxTray.exe
• sched.exe
• seccenter.exe
• spideragent.exe
• spidernt.exe
• spiderui.exe
• upsvc.exe
• vgchsvx.exe
• vsserv.exe
• zhudongfangyu.exe
• ÐÞ¸´¹¤¾ß.exe
• ÐÞ¸´¹¤¾ß.exe