Home / malware HackTool:Win32/Wpakill
First posted on 07 June 2012.
Source: MicrosoftAliases :
HackTool:Win32/Wpakill is also known as Tool-WPAKill (McAfee), Hacktool (Symantec).
Explanation :
HackTool:Win32/Wpakill is a family of hacking tools that attempt to disable or bypass WPA (Windows Product Activation), WGA (Windows Genuine Advantage) check or WAT (Windows Activation Technologies), by altering Windows operating system files, terminating processes, or by stopping services. These checks are implemented by Microsoft in an effort to reduce software piracy by validating if the software has a genuine license or genuine product key.
Tools that are detected as HackTool:Win32/Wpakill may be downloaded by a user so that they can illegally gain access to legitimate programs, however these tools are often used as containers to distribute malware.
Variants of HackTool:Win32/Wpakill were discovered in the wild when Windows XP Windows Product Activation (WPA) and Windows Genuine Advantage (WGA) were developed.
Installation
HackTool:Win32/Wpakill may be present as either an executable or script file, with one of the following file extensions:
- .exe
- .dll
Upon execution, some variants of HackTool:Win32/Wpakill may replace legitimate files with their own modified files as part of their execution process.
HackTool:Win32/Wpakill variants are usually packaged in a self extracting executable, such as RAR and ZIP executables, or NSIS compiled executables, with an enticing file name.
The file names vary, and can be virtually any name. Some examples of prevalent variants are listed below:
- activatewindows
- anti-wpa
- antiwat
- chew
- chew-wat
- chew-wga
- cracksforxp
- killwga
- killwpa
- removewat
- sp3activationcrack
- wga
- wga+crack
- win7activator
- win7crack
- windows7activator+removewat
- winxpsp2crack
- winxpsp3
- wpakill
- xp-activator
- xp-crack
- xpwga
HackTool:Win32/Wpakill variants commonly use any of the following icons in their executable files:
Installation details vary from variant to variant; see below variants for more installation details about specific variants.
Variants in the wild
There are a number of different HackTool:Win32/Wpakill variants in the wild; each variant displays a different GUI (Graphical User Interface), and makes different changes to the computer.
Below are some examples of variants we have seen in the wild, and the changes they make to the computer on which they are installed:
XP Crack
XP Crack is a component of HackTool:Win32/Wpakill that is used to crack the Windows XP activation process.
Upon execution, it may delete the following files:
- %windir%\System32\idwlog.exe
- %windir%\System32\wpabaln.exe
- %windir%\prefetch\WPABALN.EXE-337AF9CE.pf
It then de-registers the following DLL files, which form a part of the Windows XP activation process:
- regwizc.dll
- licdll.dll
It may then then shutdown and reboot the computer to complete its installation process.
Windows XP Activator
Upon execution, Windows XP Activator replaces the "winlogon.exe" file with its own modified file.
As part of its installation routine, Windows XP Activator may make the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
Once the above registry entries have been modified, the computer will be restarted, and will undergo a new activation process by using the command "msoobe /a" with the new values in the registry.
Windows XP Validation Crack/Patcher
Below are some examples of various HackTool:Win32/Wpakill variants that are designed to bypass WPA (Windows Product Activation) when the user is installing Windows XP:
Upon execution, these tools create the following VBScript file:
<system folder>\syswinan.vbs
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The above file is used to change the Windows XP key from a legitimate key to a compromised key.
It then opens the system file "cscript.exe" to delete the following validation-related registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer
It also replaces the file "<system folder>\wpa.dbl" with its own modified file.
AntiWPA
Upon execution, AntiWPA drops the file "antiwpa.dll" in the Windows system folder.
It then creates the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa
Sets value: "Impersonate"
With data: dword:00000000
Sets value: "Asynchronous"
With data: dword:00000000
Sets value: "DllName"
With data: "antiwpa.dll"
Sets value: "Logon"
With data: "onLogon"
It then removes the "Activate Windows" link from the "Start Menu" and forces the Activate Windows dialog to display "Already Activated".
AntiWPA may also modify the following registry entries, and then re-activates Windows with the new values set in the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "InstallDate"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
WPA-Patch
Upon execution, this HackTool:Win32/Wpakill variant replaces the "winlogon.exe" file with a modified one, and as a result of this modification, Windows File Protection is disabled.
It may also modify the "OOBETimer" registry value which is a part of the Windows Activation process.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
CHEW-WGA
Upon execution, CHEW-WGA drops and executes the file "autorun.exe" in the %TEMP% folder.
This HackTool:Win32/Wpakill variant makes a number of modifications to the affected computer. The following files are overwritten with modified copies:
- <system folder>\winver.exe
- <system folder>\sppcomapi.dll
- <system folder>\slmgr.vbs
- <system folder>\systemcpl.dll
- <system folder>\dllcache\user32.dll
It then modifies the following files:
- %windir%\WindowsUpdate.log
- <system folder>\drivers\etc\hosts
The following lines are added to <system folder>\drivers\etc\hosts to prevent further genuine checks from being made:
- 127.0.0.1 genuine.microsoft.com
- 127.0.0.1 mpq.one.microsoft.com
- 127.0.0.1 sls.microsoft.com
It may also add the following file
%TEMP%\chew-wga.log
RemoveWAT
RemoveWAT, is HackTool:Win32/Wpakill variant which, as the name suggests, removes or disables Windows Activation Technologies (WAT).
It usually arrives on the computer as "RemoveWAT.exe".
Upon execution, this HackTool:Win32/Wpakill variant renames the following files and replaces the original files with modified copies:
- <system folder> \user32.dll into %System%\user32.dll.bak
- < \slmgr.vbs into %System%\slmgr.vbs.removewat
- <system folder> \systemcpl.dll into %System%\systemcpl.dll.bak
- <system folder> \slwga.dll into %System%\slwga.dll.bak
Note: The file "slmgr.vbs" is a part of the Windows Software Licensing Management Tool script, a VBScript used to configure licensing on Windows. See the following article for more information about "slmgr.vbs":
http://technet.microsoft.com/en-us/library/ff793433.aspx
It then takes ownership of the following files and modifies the file's access control lists (ACL) to executable and full access:
- <system folder> \slui.exe
- <system folder> \sppuinotify.dll
- <system folder> \sppsvc.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
RemoveWAT also stops the service "sppsvc", which enables the download, installation and enforcement of digital licenses for Windows and Windows Applications.
RemoveWAT also terminates the following processes, which are related to the Windows Activation Technologies (WAT) services, and changes its ACL permission (access control list permission) to executable:
- WatAdminSvc.exe (Windows Activation Technologies Service)
- WatUX.exe (Windows Activation Technologies)
It then creates a service called "antiwlmssvc", in which its only function is to delete the service called "WLMS"; the WLMS service only exists in the evaluation copy of Windows 7/2008.
It may also recreate or replace the file "%windir%\wat.MSU", which is a part of the update for Windows Activation Technologies (WAT).
This HackTool:Win32/Wpakill variant also terminates explorer.exe in hidden mode using taskkill.exe, which depending on the operating system its running on, may not impact the computer's perfprmance in any way.
Windows 7 Genuine License Mod
Upon execution, Windows 7 Genuine License Mod replaces the following files with a modified copies:
- %APPDATA%\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- %APPDATA%\Microsoft\SoftwareProtectionPlatform\tokens.dat
The files "cache.dat" and "tokens.dat" are part of the Windows 7 OEM (Original Equipment Manufacturer) Activation License files.
MS Activator
MS Activator is a variant of HackTool:Win32/Wpakill which is used to crack or patch several versions of Windows operating systems, and Microsoft Office applications.
Execution
Bundles malware and potentially unwanted software
Hacktools may be downloaded electively from the Internet, but often malware is bundled with these hacktools, unbeknownst to the user.
In the wild, we have observed the following malware and/or potentially unwanted software being bundled with hacktools:
Backdoors, such as:
- Backdoor:Win32/Bifrose.FO
- Backdoor:Win32/Bisar!rts
- Backdoor:Win32/Comdark.A
- Backdoor:Win32/Poisonivy.E
- Backdoor:Win32/Xtrat.A
Worms, such as:
- Worm:Win32/Ainslot.A
- Worm:Win32/Codungi.A
- Worm:Win32/Rebhip
- Worm:Win32/Rebhip.A
- Worm:Win32/Rebhip.F
Password stealers, such as:
- PWS:Win32/Fignotok.A
- PWS:Win32/Fignotok.B
- PWS:Win32/Stealer.M
- PWS:Win32/Zbot
Trojans, such as:
- Trojan:MSIL/Bogoclak.A
- Trojan:Win32/Agent.AGQ
- Trojan:Win32/Alureon.CT
- Trojan:Win32/Alureon.DX
- Trojan:Win32/Anomaly.gen!A
- Trojan:Win32/Bumat!rts
- Trojan:Win32/Comame
- Trojan:Win32/Comisproc
- Trojan:Win32/Coremhead
- Trojan:Win32/Daales.A
- Trojan:Win32/Dynamer!dtc
- Trojan:Win32/Macklamel.A
- Trojan:Win32/Macklamel.B
- Trojan:Win32/Malagent
- Trojan:Win32/Meredrop
- Trojan:Win32/Provis!rts
- Trojan:Win32/Rimod
- Trojan:Win32/Sinis.C
- Trojan:Win32/Sisproc
- Trojan:Win32/Sisproc!rts
- Trojan:Win32/Sisron
- Trojan:Win32/Vundo.gen!D
- TrojanDownloader:Win32/Delf.NA
- TrojanDownloader:Win32/Lopelmoc.A
- TrojanDownloader:Win32/Nistio.A
- TrojanDownloader:Win32/Sinis.C
- TrojanDropper:Win32/Agent.FO
- TrojanDropper:Win32/Alureon.V
- TrojanDropper:Win32/Conhook.A
- TrojanDropper:Win32/FakeFlexnet.A
- TrojanDropper:Win32/Unhjeca.A
- TrojanSpy:Win32/Ardamax.BT
Potentially unwanted software, such as:
Additional information
- Adware:Win32/AdRotator
- HackTool:MSIL/Binder.B
- HackTool:Win32/CrackSearch.A
- HackTool:Win32/Dump
- HackTool:Win32/Keydump
- HackTool:Win32/Keygen
- MonitoringTool:Win32/PerfectKeylogger
- VirTool:MSIL/Injector.gen!A
- VirTool:MSIL/Injector.gen!B
- VirTool:MSIL/Injector.J
- VirTool:Win32/Evidpatch.A
- VirTool:Win32/Injector.gen!AG
- VirTool:Win32/Injector.gen!CA
- VirTool:Win32/Vbinder.CO
- VirTool:Win32/VBInject
- VirTool:Win32/VBInject.DN
- VirTool:Win32/VBInject.gen!DM
- VirTool:Win32/VBInject.gen!EP
- VirTool:Win32/VBInject.gen!FC
- VirTool:Win32/VBInject.IH
- VirTool:Win32/VBInject.OT
For more information on WPA (Windows Product Activation), please refer to the following articles:
- Microsoft Product Activation
- Description of Microsoft Product Activation
- Microsoft Product Activation for Windows XP
- What is Windows Product Activation
For more information on WGA (Windows Genuine Advantage) and WAT (Windows Activation Technologies), please refer to the following articles:
- Windows Genuine Advantage Notifications application
- Windows Activation Technologies in Windows 7
- Activation and Validation in Windows 7
Analysis by Ric Robielos
Last update 07 June 2012