This post is about kwampirs malware which is targeting health care malware majorly, in this post I will share my recent experience with this malware identification as well as tips to make your system free from this malware.
Kwampirs is basically a backdoor trojan used by hackers to gain remote access to compromised computers. When executed, the Trojan decrypts and extracts a copy of its main DLL payload. Kwampirs target WMI performance adapter service present in windows and upon infection it makes the service as WMI Performance Adapter Extension (WmiApSrvEx) type autostart.It only targets windows system that doesn't any sort of security prevention mechanism such as the latest antivirus.It doesn't have anything to deal with Linux/Mac environment.
Check for the service WmiApSrvEx (WMI Performance Adapter Extension) if it is in running /stopped state means it is infected with kwampirs.
You can also check for the infection using the registry.
Key Path: CurrentControlSet\Services\WmiApSrvEx\
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrvEx
Not only that you can also have a look in system folder such as c:\Windows\System32\ & C:\windows\SYSWOW64 for service name (.exe)
wmiapsrvce
wmipsrvce
wmiapsrvcep
wmiapsvrce
etc or dll
wmiamgmt
wmiassn
wmipadp
Also some .PNF files are associated with the malware:
C:\Windows\inf\mtmndkb32.pnf
C:\Windows\inf\digirps.pnf
Etc
Older XP Or server 2000/2008 system which is not managed properly.
If a certain group system such as XP where you can't have antivirus protection make sure they are operated in an isolated network.
Hope these post help you to know details about kwampirs.
Please do provide a view on this, if you have any query i will definitely try my level best to answer.
About Kwampirs:
Kwampirs is basically a backdoor trojan used by hackers to gain remote access to compromised computers. When executed, the Trojan decrypts and extracts a copy of its main DLL payload. Kwampirs target WMI performance adapter service present in windows and upon infection it makes the service as WMI Performance Adapter Extension (WmiApSrvEx) type autostart.It only targets windows system that doesn't any sort of security prevention mechanism such as the latest antivirus.It doesn't have anything to deal with Linux/Mac environment.
How to check for kwampirs infection?
In your system go run (win+R) type services.msc.
Check for the service WmiApSrvEx (WMI Performance Adapter Extension) if it is in running /stopped state means it is infected with kwampirs.
You can also check for the infection using the registry.
Key Path: CurrentControlSet\Services\WmiApSrvEx\
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrvEx
Not only that you can also have a look in system folder such as c:\Windows\System32\ & C:\windows\SYSWOW64 for service name (.exe)
wmiapsrvce
wmipsrvce
wmiapsrvcep
wmiapsvrce
etc or dll
wmiamgmt
wmiassn
wmipadp
Also some .PNF files are associated with the malware:
C:\Windows\inf\mtmndkb32.pnf
C:\Windows\inf\digirps.pnf
Etc
Target Systems :
A system with no Antivirus protection.Older XP Or server 2000/2008 system which is not managed properly.
Steps to Make your network Kwampirs Infection Free:
Make sure all the system are having the latest antivirus protection.If a certain group system such as XP where you can't have antivirus protection make sure they are operated in an isolated network.
Hope these post help you to know details about kwampirs.
Please do provide a view on this, if you have any query i will definitely try my level best to answer.
Post a Comment
Feel Free To Ask Your Query we Love To Answer