HackTool:Win32/Wpakill is a family of hacking tools that try to disable or bypass WPA (Windows Product Activation), WGA (Windows Genuine Advantage) or WAT (Windows Activation Technologies). This family of threats does so by altering Windows operating system files, stopping processes, or by stopping services. These checks are implemented by Microsoft in an effort to reduce software piracy by validating if the software has a genuine license or genuine product key.
You might download tools detected as HackTool:Win32/Wpakill to gain access to legitimate programs. However, these tools often contain malware.
Variants of HackTool:Win32/Wpakill were discovered in the wild when Windows XP Windows Product Activation (WPA) and Windows Genuine Advantage (WGA) were developed.
Installation
HackTool:Win32/Wpakill might have any of the following file extensions:
When run, some variants of HackTool:Win32/Wpakill might replace legitimate files with their own modified files.
HackTool:Win32/Wpakill variants are usually packaged in an archive, like RAR and ZIP, , or as an installer with an enticing file name.
The file names vary and can be virtually any name. Some examples of prevalent variants are listed below:
-
activatewindows
-
anti-wpa
-
antiwat
-
chew
-
chew-wat
-
chew-wga
-
cracksforxp
-
killwga
-
killwpa
-
removewat
-
sp3activationcrack
-
wga
-
wga+crack
-
win7activator
-
win7crack
-
windows7activator+removewat
-
winxpsp2crack
-
winxpsp3
-
wpakill
-
xp-activator
-
xp-crack
-
xpwga
HackTool:Win32/Wpakill variants commonly use any of the following icons in their files:
New variants targeting Windows 8 have been observed using the following icon:
Variants in the wild
There are a number of different HackTool:Win32/Wpakill variants in the wild; each variant displays a different GUI (Graphical User Interface), and makes different changes to your PC.
The following are some examples of variants we have seen in the wild, and the changes they make to the PC on which they are installed:
Pirate Activator
Pirate Activator is a new variant of HackTool:Win32/Wpakill that includes options to crack WAT for Windows 8.
When run, the tool replaces the following system files with changed copies:
-
Management Center files:
-
ActionCenterCPL.dll
-
ActionCenter.dll.mui
(resources)
-
Activation Center files:
-
GenuineCenter.dll
-
genuinecenter.dll.mui
(resources)
-
Windows.UI.Immersive.dll
- Panel files:
-
systemcpl.dll.mui
(resources)
-
SystemSettings.exe.mui
(resources)
- License files:
XP Crack
XP Crack is a component of HackTool:Win32/Wpakill that is used to crack the Windows XP activation process.
When run, it might delete the following files:
It then de-registers the following DLL files, which form a part of the Windows XP activation process:
It might then shut down and reboot the PC to complete its installation process.
Windows XP Activator
When run, Windows XP Activator replaces the winlogon.exe file with its own changed file.
As part of its installation routine, Windows XP Activator might make the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
Once these registry entries have been changed, the PC will be restarted, and will undergo a new activation process by using the command msoobe / with the new values in the registry.
Windows XP Validation Crack/Patcher
The following are some examples of various HackTool:Win32/Wpakill variants that are designed to bypass WPA (Windows Product Activation) when the user is installing Windows XP:
When run, these tools create the following VBScript file:
<system folder>\syswinan.vbs
This file is used to change the Windows XP key from a legitimate key to a compromised key.
It then opens the system file cscript.exe to delete the following validation-related registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer
It also replaces the file <system folder>\wpa.dbl with its own changed file.
AntiWPA
When run, AntiWPA drops the file antiwpa.dll in the Windows system folder.
It then creates the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa
Sets value: "Impersonate"
With data: dword:00000000
Sets value: "Asynchronous"
With data: dword:00000000
Sets value: "DllName"
With data: "antiwpa.dll"
Sets value: "Logon"
With data: "onLogon"
It then removes the Activate Windows link from the Start Menu and forces the Activate Windows dialog to display Already Activated.
AntiWPA might also change the following registry entries, and then re-activates Windows with the new values set in the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "InstallDate"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
WPA-Patch
When run, this HackTool:Win32/Wpakill variant replaces the winlogon.exe file with a changed one, and as a result of this change, Windows File Protection is disabled.
It might also change the OOBETimer registry value which is a part of the Windows Activation process.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
CHEW-WGA
When run, CHEW-WGA drops and runs the file autorun.exe in the %TEMP% folder.
This HackTool:Win32/Wpakill variant makes a number of changes to your PC. The following files are overwritten with changed copies:
-
<system folder>
\winver.exe
-
<system folder>\sppcomapi.dll
-
<system folder>\slmgr.vbs
-
<system folder>\systemcpl.dll
-
<system folder>\dllcache\user32.dll
It then changes the following files:
-
%windir%
\WindowsUpdate.log
-
<system folder>\drivers\etc\hosts
The following lines are added to <system folder>\drivers\etc\hosts to stop more genuine checks from being made:
-
127.0.0.1 genuine.microsoft.com
-
127.0.0.1 mpq.one.microsoft.com
-
127.0.0.1 sls.microsoft.com
It might also add the file %TEMP%\chew-wga.log.
RemoveWAT
RemoveWAT, is a HackTool:Win32/Wpakill variant which, as the name suggests, removes or disables Windows Activation Technologies (WAT).
It usually arrives on the PC as RemoveWAT.exe.
When run, this HackTool:Win32/Wpakill variant renames the following files and replaces the original files with changed copies:
Note: The file slmgr.vbs is a part of the Windows Software Licensing Management Tool script, a VBScript used to configure licensing on Windows. See the following article for more information about slmgr.vbs:
http://technet.microsoft.com/en-us/library/ff793433.aspx
It then takes ownership of the following files and changes the file's access control lists (ACL) to "executable" and "full access":
RemoveWAT also stops the service sppsvc, which lets the download, installation and enforcement of digital licenses for Windows and Windows Applications.
RemoveWAT also stops the following processes, which are related to the Windows Activation Technologies (WAT) services, and changes its ACL permission (access control list permission) to "executable":
-
WatAdminSvc.exe
(Windows Activation Technologies Service)
-
WatUX.exe
(Windows Activation Technologies)
It then creates a service called antiwlmssvc, whose function is to delete the service called WLMS; the WLMS service only exists in the evaluation copy of Windows 7/2008.
It might also recreate or replace the file %windir%\wat.MSU, which is a part of the update for Windows Activation Technologies (WAT).
This HackTool:Win32/Wpakill variant also stops the process explorer.exe in hidden mode using taskkill.exe, which, depending on the operating system its running on, may not impact the PC's doance in any way.
Windows 7 Genuine License Mod
When run, Windows 7 Genuine License Mod replaces the following files with a changed copies:
-
%APPDATA%\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
-
%APPDATA%\
Microsoft\SoftwareProtectionPlatform\tokens.dat
The files cache.dat and tokens.dat are part of the Windows 7 OEM (Original Equipment Manufacturer) Activation License files.
MS Activator
MS Activator is a variant of HackTool:Win32/Wpakill which is used to crack or patch several versions of Windows operating systems, and Microsoft Office applications.
Behavior
Bundles malware and unwanted software
Hacktools may be downloaded electively from the Internet, but often malware is bundled with these hacktools, without the user's knowledge.
In the wild, we have observed the following malware and/or unwanted software being bundled with hacktools:
Backdoors, like:
Worms, like:
Password stealers, like:
Trojans, like:
unwanted software, like:
Additional information
For more information on WPA (Windows Product Activation), please refer to the following articles:
For more information on WGA (Windows Genuine Advantage) and WAT (Windows Activation Technologies), please refer to the following articles:
Analysis by Ric Robielos