The Wnetpols Trojan is very adherent
Wnetpols trojans can be quite difficult to remove from infected computers.
A Wnetpols trojan makes many changes to selected systems. After the malicious files are created, it infects processes and continues to operate behind them. Among other things, by modifying the registry, the Trojan ensures that Windows Firewall does not interfere with the Internet connections that it creates. It then opens a back gate through which attackers can perform various malicious actions.
One of the worst features of Wnetpols is that it is very difficult to remove from infected computers. This is because if a user or antivirus software tries to delete their files, they will create new ones immediately. And if the service for your Trojan stops, it will restart itself shortly.
When the Wnetpols Trojan starts, it performs the following actions:
- Create the following files:
% System% \ wnpms.exe
% Windir% \ Temp \ wnpms_ [random numbers] .tmp
% Windir% \ Temp \ wnp [random numbers] .tmp - It infects the following processes:
winlogon.exe
explorer.exe
iexplore.exe - Creates the following entries in the registration database:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
"Windows
Network Policy Manager Service” = “%System%\wnpms.exe”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
"Windows
Network Policy Manager Service” = “%System%\wnpms.exe” - Modify the following values in the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon “Userinit” =
“C:\WINDOWS\system32\userinit.exe, wnpms.exe”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\\\dpwd”StartupPrograms” = “rdpclip, wnpms.exe” - Creates a service called “Windows Network Policy Manager Service”.
- Add the following key to the registration database:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ wnpms - If any of your files are deleted, you will recover it immediately.
- Disables the Windows built-in firewall by modifying the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Pa
rameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List ”%
System% \ wnpms.exe ”
= “%System%\wnpms.exe:*:Enabled:Windows Network Policy Manager Service”
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Pa
rameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List ”%
Windir% \ Explorer.EXE ”
= “%Windows%\Explorer.EXE%Windows%\Explorer.EXE:*:Enabled:Windows Network Policy Manager Service” - Creates two mutexes to run only one instance at a time on the infected system.
- It constantly monitors its own process, and if it stops, it restarts itself.
- He opens a back gate and waits for the attackers' orders.
