Home / malwarePDF  

HackTool:MSIL/Wpakill.A


First posted on 07 January 2012.
Source: Microsoft

Aliases :

HackTool:MSIL/Wpakill.A is also known as not-a-virus:Crack.RemoveWAT (Kaspersky), Crack-WindowsWGA.a (McAfee), CRCK_REMOVEWAT (Trend Micro), RemoveWAT (other).

Explanation :

HackTool:MSIL/Wpakill.A is a program written in .NET that is used to remove Windows Activation Technologies (WAT), a Microsoft Windows technology used to identify unauthorized or pirated copies of Windows installations. Wpakill is used to remove WAT for the purpose of retaining genuine status, activating the illegal Windows copy and installing Windows updates.
Top

HackTool:MSIL/Wpakill.A is a program written in .NET that is used to remove Windows Activation Technologies (WAT), a Microsoft Windows technology used to identify unauthorized or pirated copies of Windows installations. Wpakill is used to remove WAT for the purpose of retaining genuine status, activating the illegal Windows copy and installing Windows updates.

Installation
This program is manually installed and executed. When run, it displays the following interface: Wpakill drops a modified copy of the Windows system file "systemcpl.dll" as two other files:

  • %Windir%\System32\systemcplx64.dll
  • %Windir%\System32\systemcplx86.dll
Next, the program executes a series of command shell instructions that perform the following functions:
  • terminates the Windows software protection service "sppsvc" using "net stop"
  • terminates the Windows Explorer process using "TASKKILL"
  • renames the Windows system file "systemcpl.dll" as "systemcpl.dll.bak"
  • checks if the folder "SYSWOW64" is present in the Windows directory
    • if present, renames "systemcplx64.dll" as "systemcpl.dll"
    • if not present, renames "systemcplx86.dll" as "systemcpl.dll"
  • starts the Windows Explorer process to load the modified "systemcpl.dll" file


Analysis by Haoran Yu

Last update 07 January 2012

 

TOP