Follow:

 

HackTool:Win32/Wpakill


Microsoft security software detects and removes this threat.

This family of hacktools are used to patch or "crack" some software so it will run without a valid license or genuine product key.

We recommend you don't run this hacktool as it can be associated with malware or unwanted software.

In the past, we have seen malware on many PCs where hacktools are detected. You can read more in Volume 13 of the Security Intelligence Report.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Hacktools are often installed intentionally. Deleting their installed components will usually remove them.

Threat behavior

HackTool:Win32/Wpakill is a family of hacking tools that try to disable or bypass WPA (Windows Product Activation), WGA (Windows Genuine Advantage) or WAT (Windows Activation Technologies) by altering Windows operating system files, stopping processes, or by stopping services. These checks are implemented by Microsoft in an effort to reduce software piracy by validating if the software has a genuine license or genuine product key.

You might download tools detected as HackTool:Win32/Wpakill to gain access to legitimate programs, however these tools often contain malware.

Variants of HackTool:Win32/Wpakill were discovered in the wild when Windows XP Windows Product Activation (WPA) and Windows Genuine Advantage (WGA) were developed.

Installation

HackTool:Win32/Wpakill may have any of the following file extensions:

  • .exe
  • .dll

When run, some variants of HackTool:Win32/Wpakill might replace legitimate files with their own modified files.

HackTool:Win32/Wpakill variants are usually packaged in an archive, like RAR and ZIP, , or as an installer with an enticing file name.

The file names vary and can be virtually any name. Some examples of prevalent variants are listed below:

  • activatewindows
  • anti-wpa
  • antiwat
  • chew
  • chew-wat
  • chew-wga
  • cracksforxp
  • killwga
  • killwpa
  • removewat
  • sp3activationcrack
  • wga
  • wga+crack
  • win7activator
  • win7crack
  • windows7activator+removewat
  • winxpsp2crack
  • winxpsp3
  • wpakill
  • xp-activator
  • xp-crack
  • xpwga

HackTool:Win32/Wpakill variants commonly use any of the following icons in their files:

New variants targeting Windows 8 have been observed using the following icon:

Variants in the wild

There are a number of different HackTool:Win32/Wpakill variants in the wild; each variant displays a different GUI (Graphical User Interface), and makes different changes to your PC.

The following are some examples of variants we have seen in the wild, and the changes they make to the PC on which they are installed:

Pirate Activator

Pirate Activator is a new variant of HackTool:Win32/Wpakill that includes options to crack WAT for Windows 8.

When run, the tool replaces the following system files with changed copies:

  • Management Center files:
    • ActionCenterCPL.dll
    • ActionCenter.dll.mui (resources)
  • Activation Center files:
    • GenuineCenter.dll
    • genuinecenter.dll.mui (resources)
    • Windows.UI.Immersive.dll
  • Panel files:
    • systemcpl.dll.mui (resources)
    • SystemSettings.exe.mui (resources)
  • License files:
    • slc.dll
    • slmgr.vbs

XP Crack

XP Crack is a component of HackTool:Win32/Wpakill that is used to crack the Windows XP activation process.

When run, it might delete the following files:

It then de-registers the following DLL files, which form a part of the Windows XP activation process:

  • regwizc.dll
  • licdll.dll

It may then then shut down and reboot the PC to complete its installation process.

Windows XP Activator

When run, Windows XP Activator replaces the winlogon.exe file with its own changed file.

As part of its installation routine, Windows XP Activator might make the following changes to the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"

Once these registry entries have been changed, the PC will be restarted, and will undergo a new activation process by using the command msoobe / with the new values in the registry.

Windows XP Validation Crack/Patcher

The following are some examples of various HackTool:Win32/Wpakill variants that are designed to bypass WPA (Windows Product Activation) when the user is installing Windows XP:

When run, these tools create the following VBScript file:

<system folder>\syswinan.vbs

This file is used to change the Windows XP key from a legitimate key to a compromised key.

It then opens the system file cscript.exe to delete the following validation-related registry key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer

It also replaces the file <system folder>\wpa.dbl with its own changed file.

AntiWPA

When run, AntiWPA drops the file antiwpa.dll in the Windows system folder.

It then creates the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa
Sets value: "Impersonate"
With data: dword:00000000
Sets value: "Asynchronous"
With data: dword:00000000
Sets value: "DllName"
With data: "antiwpa.dll"
Sets value: "Logon"
With data: "onLogon"

It then removes the Activate Windows link from the Start Menu and forces the Activate Windows dialog to display Already Activated.

AntiWPA might also change the following registry entries, and then re-activates Windows with the new values set in the registry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "InstallDate"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"

WPA-Patch

When run, this HackTool:Win32/Wpakill variant replaces the winlogon.exe file with a changed one, and as a result of this change, Windows File Protection is disabled.

It may also change the OOBETimer registry value which is a part of the Windows Activation process.

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"

CHEW-WGA

When run, CHEW-WGA drops and runs the file autorun.exe in the %TEMP% folder.

This HackTool:Win32/Wpakill variant makes a number of changes to your PC. The following files are overwritten with changed copies:

  • <system folder> \winver.exe
  • <system folder>\sppcomapi.dll
  • <system folder>\slmgr.vbs
  • <system folder>\systemcpl.dll
  • <system folder>\dllcache\user32.dll

It then changes the following files:

  • %windir% \WindowsUpdate.log
  • <system folder>\drivers\etc\hosts

The following lines are added to <system folder>\drivers\etc\hosts to stop more genuine checks from being made:

  • 127.0.0.1 genuine.microsoft.com
  • 127.0.0.1 mpq.one.microsoft.com
  • 127.0.0.1 sls.microsoft.com

It may also add the file %TEMP%\chew-wga.log.

RemoveWAT

RemoveWAT, is a HackTool:Win32/Wpakill variant which, as the name suggests, removes or disables Windows Activation Technologies (WAT).

It usually arrives on the PC as RemoveWAT.exe.

When run, this HackTool:Win32/Wpakill variant renames the following files and replaces the original files with changed copies:

Note: The file slmgr.vbs is a part of the Windows Software Licensing Management Tool script, a VBScript used to configure licensing on Windows. See the following article for more information about slmgr.vbs:

http://technet.microsoft.com/en-us/library/ff793433.aspx

It then takes ownership of the following files and changes the file's access control lists (ACL) to "executable" and "full access":

RemoveWAT also stops the service sppsvc, which lets the download, installation and enforcement of digital licenses for Windows and Windows Applications.

RemoveWAT also stops the following processes, which are related to the Windows Activation Technologies (WAT) services, and changes its ACL permission (access control list permission) to "executable":

  • WatAdminSvc.exe (Windows Activation Technologies Service)
  • WatUX.exe (Windows Activation Technologies)

It then creates a service called antiwlmssvc, whose function is to delete the service called WLMS; the WLMS service only exists in the evaluation copy of Windows 7/2008.

It may also recreate or replace the file %windir%\wat.MSU, which is a part of the update for Windows Activation Technologies (WAT).

This HackTool:Win32/Wpakill variant also stops the process explorer.exe in hidden mode using taskkill.exe, which, depending on the operating system its running on, may not impact the PC's doance in any way.

Windows 7 Genuine License Mod

When run, Windows 7 Genuine License Mod replaces the following files with a changed copies:

  • %APPDATA%\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
  • %APPDATA%\Microsoft\SoftwareProtectionPlatform\tokens.dat

The files cache.dat and tokens.dat are part of the Windows 7 OEM (Original Equipment Manufacturer) Activation License files.

MS Activator

MS Activator is a variant of HackTool:Win32/Wpakill which is used to crack or patch several versions of Windows operating systems, and Microsoft Office applications.

Behavior

Bundles malware and unwanted software

Hacktools may be downloaded electively from the Internet, but often malware is bundled with these hacktools, without the user's knowledge.

In the wild, we have observed the following malware and/or unwanted software being bundled with hacktools:

Backdoors, like:

Worms, like:

Password stealers, like:

Trojans, like:

unwanted software, like:

Additional information

For more information on WPA (Windows Product Activation), please refer to the following articles:

For more information on WGA (Windows Genuine Advantage) and WAT (Windows Activation Technologies), please refer to the following articles:

Analysis by Ric Robielos


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Medium
First detected by definition: 1.45.287.0
Latest detected by definition: 1.185.3046.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 24, 2007
This entry was updated on: Sep 24, 2014

This threat is also detected as:
  • Tool-WPAKill (McAfee)
  • Hacktool (Symantec)