HKTL_WPAKILL.GC
Troj/WPAKill-A (Sophos); Riskware/WPAKill (Fortinet); HackTool:Win32/Wpakill (Microsoft)
Windows
Threat Type: Hacking Tool
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.
TECHNICAL DETAILS
Arrival Details
This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It arrives as a component bundled with malware/grayware packages.
It may be manually installed by a user.
Installation
This Hacking Tool drops the following copies of itself into the affected system:
- %System%\{malware name}.dll
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Other System Modifications
This Hacking Tool adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\Antiwpa
Impersonate = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\Antiwpa
Asynchronous = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\Antiwpa
DllName = "{malware name}.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
Notify\Antiwpa
Logon = onLogon
HKEY_LOCAL_MACHINE NT\CurrentVersion\WPAEvents
OOBETimer = {hex values}