Threat behavior
HackTool:Win32/Wpakill and HackTool:Win32/Wpakill.dll are a series of tools that attempt to disable or bypass WPA (Windows Product Activation) by altering Windows OS files.
Most common files are WPA_Kill.exe and antiwpa.dll, and they are commonly packaged in a self-extracting RAR archive file (aka RarSfx). It is recommended that you do not run any of these files, as they may contain additional malicious or unwanted applications.
Installation
HackTool:Win32/Wpakill is commonly packaged in a self-extracting RAR archive file (aka rarsfx). This archive may contain the file "autorun.exe" and an "Autoplay" folder. The binary executable autorun.exe is an AutoPlay Media Studio 6.0 executable that interprets "\Autoplay\autorun.cdd", a protected archive. This protected archive contains 3 files, of which the main script is "_proj.dat".
In "Autoplay\Docs\" there are several folders, for example:
antiwpa
DPCDLL-LicViewer
gen_antiwpa
Magical.Jelly.Bean.Keyfinder.v1.53
Microsoft.Business.Network.v1.0.SP1.Pro.Keymaker.Only-AGAiN
Microsoft.ISA.Server.2004.Enterprise.Edition.German.Keymaker.Only-AGAiN
Microsoft.ISA.Server.2004.Keymaker.Only-AGAiN
Microsoft.Office.Communicator.2005.v1.0.559.Keymaker.Only-AGAiN
Microsoft.Office.Professional.2003.Keymaker.Only-AGAiN
Microsoft.Operations.Manager.2005.Keymaker.Only-AGAiN
Microsoft.Visual.Fox.Pro.v.9.0.Keymaker.Only-AGAiN
Microsoft.Windows.Server.2003.x64.Edition.VOL.FIXED.Keymaker.Only-ZWT
Microsoft.Windows.XP-Bluelist
Microsoft.Windows.XP.2003.Enterprise.Server.Keygen-YAG
Microsoft.Windows.XP.Professional.Corporate.Keymaker.Only.READ.NFO-AGAiN
Microsoft.Windows.XP.Professional.x64.Corporate.Keymaker.Only-AGAiN
RockXP.v.3
Inside the folder named "gen_antiwpa", there are several files, of which "WPA_Kill.exe" is detected as "Hacktool:Win32/Wpakill". Inside "antiwpa" there are 3 folders for each type: AMD64, IA64, X86 and in each of them there is the file "antiwpa.dll" - this file is detected as either "Hacktool:Win32/Wpakill" or "Hacktool:Win32/Wpakill.dll".
The patch auto-runs on each start before the WPA-check via:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AntiWPA
System hooks are applied when AntiWPA.dll!onLogon is called by winlogon.exe. Installation is performed via AntiWPA.dll!DllRegisterServer ("regsvr32 AntiWPA.dll"). The file is copied to the Windows system folder, and registry keys are modified.
Payload
HackTool:Win32/Wpakill performs the following actions:
copies AntiWPA.dll to <system folder> (eg: C:\windows\system32\AntiWPA.dll)
registers AntiWPA.dll by adding a registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AntiWPA
modifies a registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\
OOBETimer="OOBE"1
executes the following instructions:
* rundll32 setupapi,InstallHinfSection DEL_OOBE_ACTIVATE 132 syssetup.inf
* rundll32 setupapi,InstallHinfSection RESTORE_OOBE_ACTIVATE 132 syssetup.inf
Simulates booting into safe mode, such that winlogon.exe skips the WPA-Check - this is accomplished using a hook in USER32.DLL and NTDLL.DLL:
* hooks user32.dll! GetSystemMetrics(SM_CLEANBOOT{=0x43})
* hooks ntdll.dll!NtLockProductActivation
Additional Information
The uninstall routine is performed via AntiWPA.dll!DllUnRegisterServer ("regsvr32 -u AntiWPA.dll"). Also, the system file Winlogon.exe is not altered. Patching (API-Hooking) is done in memory, so there are no problems with Windows System File Protection.
Prevention
