Home / malware HackTool:Win32/Wpakill.C
First posted on 19 October 2010.
Source: SecurityHomeAliases :
HackTool:Win32/Wpakill.C is also known as Crack-WindowsWGA.b (McAfee), Trojan.Win32.Generic.52202D61 (Rising AV), Chew-WGA (Sunbelt Software), Trojan.ADH (Symantec).
Explanation :
HackTool:Win32/Wpakill.C is a tool that is used to bypass the Windows Genuine Advantage check.
Top
HackTool:Win32/Wpakill.C is a tool that is used to bypass the Windows Genuine Advantage check. Installation When the tool is run, it displays the following screen: The tool creates the following file on the affected computer: %Local Settings%\Temp\chew-wga.log Payload To bypass the genuine check, HackTool:Win32/Wpakill.C makes a number of modifications to the affected computer. The following files are overwritten with malicious copies:<system folder>\winver.exe <system folder>\sppcomapi.dll <system folder>\slmgr.vbs Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. HackTool:Win32/Wpakill.C modifies the following files: %windir%\WindowsUpdate.log <system folder>\drivers\etc\hosts The following lines are added to <system folder> \drivers\etc\hosts to prevent further genuine checks from being made:127.0.0.1 genuine.microsoft.com 127.0.0.1 mpq.one.microsoft.com 127.0.0.1 sls.microsoft.com HackTool:Win32/Wpakill.C modifies the following registry key to prevent further activation attempts: In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ActivationSets value:ActionId
Analysis by Michael JohnsonLast update 19 October 2010
