PE_WAPOMI.S-O

Infection Channel:

Propagates via removable drives, Downloaded from the Internet, Infects files

This file infector arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects by appending its code to target host files.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

File Size:

227,328 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

04 Oct 2012

Payload:

Connects to URLs/IPs, Terminates processes, Drops files

Arrival Details

This file infector arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This file infector deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

File Infection

This file infector infects the following files:

.exe
.exe inside .rar

It infects by appending its code to target host files.

Propagation

This file infector creates the following folders in all removable drives:

recycle.{CLSID}

It drops the following copy(ies) of itself in all removable drives:

recycle.{CLSID}\uninstall.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
OPEN=recycle.{CLSID}\uninstall.exe
shell\open=´ò¿ª(&O)
shell\open\Command=recycle.{CLSID}\uninstall.exe Show
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=recycle.{CLSID}\uninstall.exe Show

Process Termination

This file infector terminates the following processes if found running in the affected system's memory:

360tray.exe
Explorer.exe
KSafeTray.exe
MPMon.exe
MPSVC.exe
MPSVC1.exe
MPSVC2.exe
RavMonD.exe
RsAgent.exe

Dropping Routine

This file infector drops the following files:

%System%\dmlocalsvc.dll - detected as TROJ_HORST.JY
%System%\{random}.sys - detected as RTKT_WAPOMI.AP, rootkit component used by this file infector to hide its files, registry entries, and processes

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following file(s), which it uses for its keylogging routine:

%System Root%\Documents and Settings\Infotmp.txt

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Download Routine

This file infector connects to the following URL(s) to download its component file(s):

http://{BLOCKED}.sdo.com/announce?info_hash={characters}&peer_id={characters}&port={port}&uploaded={number}&downloaded={number}&left={number}&event=started&compact={number}&numwant={number}&no_peer_id={number}

HOSTS File Modification

This file infector overwrites the system's HOSTS files to prevent users from accessing the following websites:

127.0.0.1 localhost

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

www.baidu.com

It inserts the following IFRAME code in webpages:

.html
.htm
.asp
.aspx

NOTES:

This file infector prevents the execution of several security related processes by creating the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\{exe file}
Debugger = "ntsd -d"

{exe file} may be any of the following:

ÐÞ¸´¹¤¾ß.exe
ÐÞ¸´¹¤¾ß.exe
360hotfix.exe
360rp.exe
360rpt.exe
360safe.exe
360SAFE_INSTALLER.exe
360safebox.exe
360sd.exe
360se.exe
360SoftMgrSvc.exe
360speedld.exe
360tray.exe
afwServ.exe
ast.exe
AvastSvc.exe
AvastUI.exe
avcenter.exe
avfwsvc.exe
avgcsrvx.exe
avgemc.exe
avgnsx.exe
avgnt.exe
avgrsx.exe
avgtray.exe
avguard.exe
avgwdsvc.exe
avmailc.exe
avp.exe
avshadow.exe
avwebgrd.exe
bdagent.exe
CCenter.exe
ccSvcHst.exe
dwengine.exe
egui.exe
ekrn.exe
FilMsg.exe
kavstart.exe
kissvc.exe
kmailmon.exe
knsd.exe
knsdsvc.exe
knsdtray.exe
knsdwsc.exe
kpfw32.exe
kpfwsvc.exe
kpopserver.exe
krnl360svc.exe
KSafeSvc.exe
KSafeTray.exe
ksmgui.exe
ksmsvc.exe
kswebshield.exe
kvexpert.exe
KVMonXP.exe
KVMonXP.kxp
kvol.exe
KVSrvXP.exe
kvxp.exe
kwatch.exe
kwstray.exe
kwsupd.exe
kxedefend.exe
kxesapp.exe
kxescore.exe
kxeserv.exe
kxetray.exe
livesrv.exe
mcagent.exe
mcmscsvc.exe
McNASvc.exe
Mcods.exe
McProxy.exe
McSACore.exe
Mcshield.exe
mcsysmon.exe
mcvsshld.exe
mfefire.exe
mfevtps.exe
MOBKbackup.exe
MpfSrv.exe
MPMon.exe
MPSVC.exe
MPSVC1.exe
MPSVC2.exe
msksrver.exe
MsSvHost.exe
QQPCAddWidget.exe
QQPCMgr.exe
QQPCMgr_tz_Setup.exe
QQPConfig.exe
QQPCRTP.EXE
QQPCTray.exe
QQPCUPDATE.EXE
qutmserv.exe
RavMonD.exe
RavTask.exe
RsAgent.exe
Rsmgrsvc.exe
rsnetsvr.exe
RsTray.exe
safeboxTray.exe
ScanFrm.exe
sched.exe
seccenter.exe
SfCtlCom.exe
spideragent.exe
SpIDerMl.exe
spidernt.exe
spiderui.exe
SuperKiller.exe
TMBMSRV.exe
TmProxy.exe
Twister.exe
UfSeAgnt.exe
upsvc.exe
V3PScan.exe
V3SP.exe
vgchsvx.exe
VPSvc.exe
vsserv.exe
zhudongfangyu.exe

It checks if one of the following services is not running:

AppMgmt (appmgmts.dll)
BITS (qmgr.dll)
Browser (browser.dll)
CryptSvc (cryptsvc.dll)
EventSystem (es.dll)
FastUserSwitchingCompatibility (shsvcs.dll)
helpsvc (pchsvc.dll)
Netman (netman.dll)
Nla (mswsock.dll)
Ntmssvc (ntmssvc.dll)
RemoteRegistry (regsvc.dll)
Schedule (schedsvc.dll)
SSDPSRV (ssdpsrv.dll)
Tapisrv (tapisrv.dll)
upnphost (upnphost.dll)
WmdmPmSN (mspmsnsv.dll)
xmlprov (xmlprov.dll)

If found, it replaces the corresponding .dll file with a copy of itself and then starts the said service. However, if all services mentioned above are running, it then enumerates all these services and uses any of their service names.

It hooks the following APIs:

ImmLoadLayout
ZwQueryValueKey

Minimum Scan Engine:

9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Remove the malware/grayware file dropped/downloaded by PE_WAPOMI.S-O

TROJ_HORST.JY
RTKT_WAPOMI.AP

Step 3

Identify and delete files detected as PE_WAPOMI.S-O using either the Startup Disk or Recovery Console

[ Learn More ]

To identify and delete the malware/grayware file:

• On Windows XP and Server 2003 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Click Start>Run. In the Open input box, type secpol.msc and press Enter.
In the left panel, double-click Local Policies>Security Options.
In the right panel, double-click Recovery Console: Allow floppy copy and access to all drives and folders.
Select Enabled and click OK.
Insert the Windows Installation CD into the CD drive, then restart your computer.
When prompted, press any key to boot from the CD.
On the main menu, type r to go to the Recovery Console.
Type the number that corresponds to the drive and directory that contains Windows (usually C:\WINDOWS) and press Enter.
Type the Administrator password and press Enter.
In the input box, type the following then press Enter:
SET AllowAllPaths = TRUE
del "{malware/grayware path and file name}"
Type exit and press Enter to restart the system normally.

• On Windows Vista and 7 systems:

Scan your computer with your Trend Micro product and then take note of the names of the malware/grayware files detected.
Insert your Windows Installation DVD in the DVD drive, then Press the restart button.
When prompted, press any key to boot from the CD.
Depending on your Windows Installation DVD, you might be required to select the installation language. Then on the Install Windows window, choose your language, locale, and keyboard layout or input method. Click Next, then click Repair your computer.
Select Use recovery tools that can help fix problems starting Windows. Select your installation of Windows. Click Next.
If the Startup Repair window appears, click Cancel, Yes, then Finish.
In the System Recovery Options window, click Command Prompt.
In the Command Prompt window, type the following then press Enter:
BootRec.exe /fixmbr
del "{malware/grayware path and file name}"
Type exit and press Enter to close the Command Prompt window.
Click Restart to restart the system normally.

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- {exe file}

Step 5

Search and delete these folders

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result. {drive leter}:\recycle.{CLSID}

Step 6

Search and delete this file

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. %System Root%\Documents and Settings\Infotmp.txt

Step 7

Search and delete AUTORUN.INF files created by PE_WAPOMI.S-O that contain these strings

[ Learn More ]

[autorun]
OPEN=recycle.{CLSID}\uninstall.exe
shell\open=´ò¿ª(&O)
shell\open\Command=recycle.{CLSID}\uninstall.exe Show
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command=recycle.{CLSID}\uninstall.exe Show

Step 8

Scan your computer with your Trend Micro product to delete files detected as PE_WAPOMI.S-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

%System%\appmgmts.dll

%System%\qmgr.dll

%System%\shsvcs.dll

%System%\mspmsnsv.dll

%System%\xmlprov.dll

%System%\es.dll

%System%\ntmssvc.dll

%System%\upnphost.dll

%System%\ssdpsrv.dll

%System%\netman.dll

%System%\mswsock.dll

%System%\tapisrv.dll

%System%\browser.dll

%System%\cryptsvc.dll

%System%\pchsvc.dll

%System%\regsvc.dll

%System%\schedsvc.dll

%System%\drivers\etc\hosts

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

PE_WAPOMI.S-O

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific