W32/Kwampirs.XWA!tr

Analysis

W32/Kwampirs.XWA!tr is a highly generic detection for a Kwampirs Trojan. Since this is a generic detection, malware that are detected as W32/Kwampirs.XWA!tr may have varying behaviour.
Below are examples of some of these behaviours:

• Upon execution this malware drops a data file %Windows%\inf\ie11.PNF.


• The following service related registry modifications are applied:
  
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WmiApSrvEx
    
    • ImagePath = %SystemRoot%\system32\[OriginalMalwareExecuted].exe
    • DisplayName = "WMI Performance Adapter Extension"
    • DependOnService = RpcSs
    • ObjectName "LocalSystem"
    • Description "Provides extensional information of performance library from Windows Management Instrumentation (WMI)."
    This registry refers to as the malware being included in the hosts as a running service.


• Upon execution, the malware displays the following:
  

  Figure 1: Display during execution.

  
  


• This malware has been associated with an attack known as Orange Worm. The malware was involved in targetting some medical/health care equipment/facilities through its backdoor capabilities. The malware was known to have spread through network shares within the local network.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.