The file names vary and can be virtually any name. Some examples of prevalent variants are listed below:
- activatewindows
- anti-wpa
- antiwat
- chew
- chew-wat
- chew-wga
- cracksforxp
- killwga
- killwpa
- removewat
- sp3activationcrack
- wga
- wga+crack
- win7activator
- win7crack
- windows7activator+removewat
- winxpsp2crack
- winxpsp3
- wpakill
- xp-activator
- xp-crack
- xpwga
HackTool:Win32/Wpakill variants commonly use any of the following icons in their executable files:
New variants targeting Windows 8 have been observed using the following icon:
Installation details vary from variant to variant; see below for more installation details about specific variants.
Variants in the wild
There are a number of different HackTool:Win32/Wpakill variants in the wild; each variant displays a different GUI (Graphical User Interface), and makes different changes to the computer.
Below are some examples of variants we have seen in the wild, and the changes they make to the computer on which they are installed:
Pirate Activator
Pirate Activator is a new variant of HackTool:Win32/Wpakill that includes options to crack WAT for Windows 8.
When run, the tool replaces the following system files with modified copies:
Management Center files:
ActionCenterCPL.dll
ActionCenter.dll.mui (resources)
Activation Center files:
GenuineCenter.dll
genuinecenter.dll.mui (resources)
Windows.UI.Immersive.dll
Panel files:
systemcpl.dll.mui (resources)
SystemSettings.exe.mui (resources)
License files:
slc.dll
slmgr.vbs
XP Crack
XP Crack is a component of HackTool:Win32/Wpakill that is used to crack the Windows XP activation process.
Upon execution, it may delete the following files:
%windir%\System32\idwlog.exe
%windir%\System32\wpabaln.exe
%windir%\prefetch\WPABALN.EXE-337AF9CE.pf
It then de-registers the following DLL files, which form a part of the Windows XP activation process:
regwizc.dll
licdll.dll
It may then then shutdown and reboot the computer to complete its installation process.
Windows XP Activator
Upon execution, Windows XP Activator replaces the "winlogon.exe" file with its own modified file.
As part of its installation routine, Windows XP Activator may make the following changes to the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
Once the above registry entries have been modified, the computer will be restarted, and will undergo a new activation process by using the command "msoobe /a" with the new values in the registry.
Windows XP Validation Crack/Patcher
Below are some examples of various HackTool:Win32/Wpakill variants that are designed to bypass WPA (Windows Product Activation) when the user is installing Windows XP:
Upon execution, these tools create the following VBScript file:
<system folder>\syswinan.vbs
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The above file is used to change the Windows XP key from a legitimate key to a compromised key.
It then opens the system file "cscript.exe" to delete the following validation-related registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents\OOBETimer
It also replaces the file "<system folder>\wpa.dbl" with its own modified file.
AntiWPA
Upon execution, AntiWPA drops the file "antiwpa.dll" in the Windows system folder.
It then creates the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa
Sets value: "Impersonate"
With data: dword:00000000
Sets value: "Asynchronous"
With data: dword:00000000
Sets value: "DllName"
With data: "antiwpa.dll"
Sets value: "Logon"
With data: "onLogon"
It then removes the "Activate Windows" link from the "Start Menu" and forces the Activate Windows dialog to display "Already Activated".
AntiWPA may also modify the following registry entries, and then re-activates Windows with the new values set in the registry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
Sets value: "LastWPAEventLogged"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Sets value: "CurrentBuild"
Sets value: "InstallDate"
Sets value: "ProductId"
Sets value: "DigitalProductId"
Sets value: "LicenseInfo"
WPA-Patch
Upon execution, this HackTool:Win32/Wpakill variant replaces the "winlogon.exe" file with a modified one, and as a result of this modification, Windows File Protection is disabled.
It may also modify the "OOBETimer" registry value which is a part of the Windows Activation process.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents
Sets value: "OOBETimer"
CHEW-WGA
Upon execution, CHEW-WGA drops and executes the file "autorun.exe" in the %TEMP% folder.
This HackTool:Win32/Wpakill variant makes a number of modifications to the affected computer. The following files are overwritten with modified copies:
<system folder>\winver.exe
<system folder>\sppcomapi.dll
<system folder>\slmgr.vbs
<system folder>\systemcpl.dll
<system folder>\dllcache\user32.dll
It then modifies the following files:
%windir%\WindowsUpdate.log
<system folder>\drivers\etc\hosts
The following lines are added to <system folder>\drivers\etc\hosts to prevent further genuine checks from being made:
127.0.0.1 genuine.microsoft.com
127.0.0.1 mpq.one.microsoft.com
127.0.0.1 sls.microsoft.com
It may also add the following file
%TEMP%\chew-wga.log
RemoveWAT
RemoveWAT, is HackTool:Win32/Wpakill variant which, as the name suggests, removes or disables Windows Activation Technologies (WAT).
It usually arrives on the computer as "RemoveWAT.exe".
Upon execution, this HackTool:Win32/Wpakill variant renames the following files and replaces the original files with modified copies:
<system folder> \user32.dll into %System%\user32.dll.bak
< \slmgr.vbs into %System%\slmgr.vbs.removewat
<system folder> \systemcpl.dll into %System%\systemcpl.dll.bak
<system folder> \slwga.dll into %System%\slwga.dll.bak
Note: The file "slmgr.vbs" is a part of the Windows Software Licensing Management Tool script, a VBScript used to configure licensing on Windows. See the following article for more information about "slmgr.vbs":
http://technet.microsoft.com/en-us/library/ff793433.aspx
It then takes ownership of the following files and modifies the file's access control lists (ACL) to executable and full access:
<system folder> \slui.exe
<system folder> \sppuinotify.dll
<system folder> \sppsvc.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
RemoveWAT also stops the service "sppsvc", which enables the download, installation and enforcement of digital licenses for Windows and Windows Applications.
RemoveWAT also terminates the following processes, which are related to the Windows Activation Technologies (WAT) services, and changes its ACLpermission (access control list permission) to executable:
WatAdminSvc.exe (Windows Activation Technologies Service)
WatUX.exe (Windows Activation Technologies)
It then creates a service called "antiwlmssvc", in which its only function is to delete the service called "WLMS"; the WLMS service only exists in the evaluation copy of Windows 7/2008.
It may also recreate or replace the file "%windir%\wat.MSU", which is a part of the update for Windows Activation Technologies (WAT).
This HackTool:Win32/Wpakill variant also terminates explorer.exe in hidden mode using taskkill.exe, which depending on the operating system its running on, may not impact the computer's performance in any way.
Windows 7 Genuine License Mod
Upon execution, Windows 7 Genuine License Mod replaces the following files with a modified copies:
%APPDATA%\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
%APPDATA%\Microsoft\SoftwareProtectionPlatform\tokens.dat
The files "cache.dat" and "tokens.dat" are part of the Windows 7 OEM (Original Equipment Manufacturer) Activation License files.
MS Activator
MS Activator is a variant of HackTool:Win32/Wpakill which is used to crack or patch several versions of Windows operating systems, and Microsoft Office applications.
Execution
Bundles malware and potentially unwanted software
Hacktools may be downloaded electively from the Internet, but often malware is bundled with these hacktools, unbeknownst to the user.
In the wild, we have observed the following malware and/or potentially unwanted software being bundled with hacktools:
Backdoors, such as: Backdoor:Win32/Bifrose.FO
Backdoor:Win32/Bisar!rts
Backdoor:Win32/Comdark.A
Backdoor:Win32/Poisonivy.E
Backdoor:Win32/Xtrat.A
Worms, such as: Worm:Win32/Ainslot.A
Worm:Win32/Codungi.A
Worm:Win32/Rebhip
Worm:Win32/Rebhip.A
Worm:Win32/Rebhip.F
Password stealers, such as: PWS:Win32/Fignotok.A
PWS:Win32/Fignotok.B
PWS:Win32/Stealer.M
PWS:Win32/Zbot
Trojans, such as: Trojan:MSIL/Bogoclak.A
Trojan:Win32/Agent.AGQ
Trojan:Win32/Alureon.CT
Trojan:Win32/Alureon.DX
Trojan:Win32/Anomaly.gen!A
Trojan:Win32/Bumat!rts
Trojan:Win32/Comame
Trojan:Win32/Comisproc
Trojan:Win32/Coremhead
Trojan:Win32/Daales.A
Trojan:Win32/Dynamer!dtc
Trojan:Win32/Macklamel.A
Trojan:Win32/Macklamel.B
Trojan:Win32/Malagent
Trojan:Win32/Meredrop
Trojan:Win32/Provis!rts
Trojan:Win32/Rimod
Trojan:Win32/Sinis.C
Trojan:Win32/Sisproc
Trojan:Win32/Sisproc!rts
Trojan:Win32/Sisron
Trojan:Win32/Vundo.gen!D
TrojanDownloader:Win32/Delf.NA
TrojanDownloader:Win32/Lopelmoc.A
TrojanDownloader:Win32/Nistio.A
TrojanDownloader:Win32/Sinis.C
TrojanDropper:Win32/Agent.FO
TrojanDropper:Win32/Alureon.V
TrojanDropper:Win32/Conhook.A
TrojanDropper:Win32/FakeFlexnet.A
TrojanDropper:Win32/Unhjeca.A
TrojanSpy:Win32/Ardamax.BT
Potentially unwanted software, such as: Adware:Win32/AdRotator
HackTool:MSIL/Binder.B
HackTool:Win32/CrackSearch.A
HackTool:Win32/Dump
HackTool:Win32/Keydump
HackTool:Win32/Keygen
MonitoringTool:Win32/PerfectKeylogger
VirTool:MSIL/Injector.gen!A
VirTool:MSIL/Injector.gen!B
VirTool:MSIL/Injector.J
VirTool:Win32/Evidpatch.A
VirTool:Win32/Injector.gen!AG
VirTool:Win32/Injector.gen!CA
VirTool:Win32/Vbinder.CO
VirTool:Win32/VBInject
VirTool:Win32/VBInject.DN
VirTool:Win32/VBInject.gen!DM
VirTool:Win32/VBInject.gen!EP
VirTool:Win32/VBInject.gen!FC
VirTool:Win32/VBInject.IH
VirTool:Win32/VBInject.OT
Additional information
For more information on WPA (Windows Product Activation), please refer to the following articles:
Microsoft Product Activation
Description of Microsoft Product Activation
Microsoft Product Activation for Windows XP
What is Windows Product Activation
For more information on WGA (Windows Genuine Advantage) and WAT (Windows Activation Technologies), please refer to the following articles:
Windows Genuine Advantage Notifications application
Windows Activation Technologies in Windows 7
Activation and Validation in Windows 7
Prevention
Follow these general security tips to better protect your system:
Enable a firewall on your computer.
Get the latest computer updates.
Limit user privileges on the computer.
Run an up-to-date scanning and removal tool.
Use caution with attachments and file transfers.
Use caution when clicking on links to webpages.
Avoid downloading pirated software.
Protect yourself against social engineering attacks.
Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
How to turn on the Windows Firewall in Windows 8
How to turn on the Windows Firewall in Windows 7
How to turn on the Windows Firewall in Windows Vista
How to turn on the Windows Firewall in Windows XP
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites. Instructions on how to download the latest versions of some common software is available from the following:
Microsoft Malware Protection Center - Updating Software
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
How to turn on Automatic updates in Windows 8
How to turn on Automatic Updates in Windows 7
How to turn on Automatic Updates in Windows Vista
How to turn on Automatic Updates in Windows XP
Limit user privileges on the computer
Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.
You can configure UAC in your computer to meet your preferences:
User Account Control in Windows 8
User Account Control in Windows 7
User Account Control in Windows Vista
Applying the Principle of Least Privilege in Windows XP
More on User Account Control
Run an up-to-date scanning and removal tool
Most scanning and removal software can detect and prevent the installation of known malicious software and potentially unwanted software such as adware or spyware. You should frequently run a scanning and removal tool, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see 'Consumer security software providers'.
Use caution with attachments and file transfers
Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to webpages
Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a webpage with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters and combines letters, numbers, and symbols. For more information see 'Create strong passwords'.
Recovery
Programs designated as Hacktool are generally installed intentionally by a computer user. Deleting the installed components will remove the program. Alternatively, to detect and remove this software, run a full-system scan with an up-to-date antivirus product such as the following:
Microsoft Security Essentials or, for Windows 8, Windows Defender
Microsoft Safety Scanner
NB : Bagi Sitem Operasi Linux, Program Tersebut Tidaklah Berguna Samasekali Karena Sudah Dianggap Virus. Jadi Belilah Sistem Operasi Yang Berkualitas Baik Dan Juga Bukan Bajakan.
Update!
BalasHapus