Home / malware HackTool:Win32/Wpakill.dll
First posted on 08 March 2019.
Source: MicrosoftAliases :
There are no other names known for HackTool:Win32/Wpakill.dll.
Explanation :
HackTool:Win32/Wpakill and HackTool:Win32/Wpakill.dll are a series of tools that attempt to disable or bypass WPA (Windows Product Activation) by altering Windows OS files.
Most common files are WPA_Kill.exe and antiwpa.dll, and they are commonly packaged in a self-extracting RAR archive file (aka RarSfx). It is recommended that you do not run any of these files, as they may contain additional malicious or unwanted applications. InstallationHackTool:Win32/Wpakill is commonly packaged in a self-extracting RAR archive file (aka rarsfx). This archive may contain the file "autorun.exe" and an "Autoplay" folder. The binary executable autorun.exe is an AutoPlay Media Studio 6.0 executable that interprets "Autoplayautorun.cdd", a protected archive. This protected archive contains 3 files, of which the main script is "_proj.dat". In "AutoplayDocs" there are several folders, for example: antiwpa DPCDLL-LicViewer gen_antiwpa Magical.Jelly.Bean.Keyfinder.v1.53 Microsoft.Business.Network.v1.0.SP1.Pro.Keymaker.Only-AGAiN Microsoft.ISA.Server.2004.Enterprise.Edition.German.Keymaker.Only-AGAiN Microsoft.ISA.Server.2004.Keymaker.Only-AGAiN Microsoft.Office.Communicator.2005.v1.0.559.Keymaker.Only-AGAiN Microsoft.Office.Professional.2003.Keymaker.Only-AGAiN Microsoft.Operations.Manager.2005.Keymaker.Only-AGAiN Microsoft.Visual.Fox.Pro.v.9.0.Keymaker.Only-AGAiN Microsoft.Windows.Server.2003.x64.Edition.VOL.FIXED.Keymaker.Only-ZWT Microsoft.Windows.XP-Bluelist Microsoft.Windows.XP.2003.Enterprise.Server.Keygen-YAG Microsoft.Windows.XP.Professional.Corporate.Keymaker.Only.READ.NFO-AGAiN Microsoft.Windows.XP.Professional.x64.Corporate.Keymaker.Only-AGAiN RockXP.v.3 Inside the folder named "gen_antiwpa", there are several files, of which "WPA_Kill.exe" is detected as "Hacktool:Win32/Wpakill". Inside "antiwpa" there are 3 folders for each type: AMD64, IA64, X86 and in each of them there is the file "antiwpa.dll" - this file is detected as either "Hacktool:Win32/Wpakill" or "Hacktool:Win32/Wpakill.dll". The patch auto-runs on each start before the WPA-check via:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyAntiWPA System hooks are applied when AntiWPA.dll!onLogon is called by winlogon.exe. Installation is performed via AntiWPA.dll!DllRegisterServer ("regsvr32 AntiWPA.dll"). The file is copied to the Windows system folder, and registry keys are modified. PayloadHackTool:Win32/Wpakill performs the following actions: copies AntiWPA.dll to(eg: C:windowssystem32AntiWPA.dll) registers AntiWPA.dll by adding a registry entry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifyAntiWPA modifies a registry value:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWPAEvents
OOBETimer="OOBE"1 executes the following instructions:
* rundll32 setupapi,InstallHinfSection DEL_OOBE_ACTIVATE 132 syssetup.inf
* rundll32 setupapi,InstallHinfSection RESTORE_OOBE_ACTIVATE 132 syssetup.inf Simulates booting into safe mode, such that winlogon.exe skips the WPA-Check - this is accomplished using a hook in USER32.DLL and NTDLL.DLL:
* hooks user32.dll! GetSystemMetrics(SM_CLEANBOOT{=0x43})
* hooks ntdll.dll!NtLockProductActivation Additional InformationThe uninstall routine is performed via AntiWPA.dll!DllUnRegisterServer ("regsvr32 -u AntiWPA.dll"). Also, the system file Winlogon.exe is not altered. Patching (API-Hooking) is done in memory, so there are no problems with Windows System File Protection.Last update 08 March 2019
