How to remove Wapp.exe

Wapp.exe

Last Updated on Monday, 07 November 2011 10:25 Monday, 07 November 2011 10:04

The name Wapp.exe has appeared along with other names in a virus analysis report. You can see it on this link

It creates malicious folders named coming, outlooks and creates several exe files in them

The installer is of about 2.4 MB. It is identified as a virus Trojan Infostealer Bancos/ Banker/Banbra. It is suspected to have originated in Brazil. The installer is identified by Antivirus programs as
Infostealer.Gampass [Symantec]
Trojan-Banker.Win32.Banker.mva [Kaspersky Lab]
PWS-Banker [McAfee]
Mal/Banspy-K [Sophos]
TrojanSpy:Win32/DelpBanc.A [Microsoft]
Trojan-Banker.Win32.Banker [Ikarus]
Win-Trojan/Banker.2453504 [AhnLab]
packed with: PE_Patch [Kaspersky Lab]
It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the compromised system.
It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
According to Symantec

The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss.

You can read the the writeup at Symantec on this link

It creates Wapp.exe and other files on the infected computer that you need to search and delete. You should also remove the entries of these files from the windows startup.

Warning: It is possible that some legitimate software may be using the same file names as that of the virus files. You do not have to delete these files if they belong to some legitimate program installed on your computer. Use Windows Defender or SysInternals Process Explorer to differentiate between them. The information in this article is presented without making any claims regarding its usefulness or otherwise. If you have any objections or questions, please send a note by adding a comment at the end of this page, or mail on support(at)comprolive.com

Preventive measures

Most of the viruses enter your computer when you visit some harmful website. If you use a browser plugin that warns you about harmful websites, you can prevent this from happening. A popular browser plugin is called Web Of Trust (WOT), you can install it from its website on this link.
[ a video about WOT plugin ]
Blocking Javascript of all sites by default can help to prevent drive by download infections. You can use Noscript Plugin for firefox as explained in this video. Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences > Under the Hood > Content Settings > Java Script > Select "Do not Allow". After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site. The author of NoScript is writing a similar plugin for IE9 called GoodScript. Keep an eye on when it becomes available.
Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows. The viruses get activated when these files are executed. You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files ocasionally, ideally at the end of a browsing session or before closing down your computer. Some programs like CCleaner can be set to do these things automatically. [ a video about CCleaner ]
Do not leave your computer infected and insecure. If you doubt that there could be some undetected virus on your computer, don't leave it like that. Format the hard disk and reinstall windows and all other programs. That is the sure way to clear doubts.

Using System Restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus

Using system restore in windows XP
Using system restore in windows Vista
Using system restore in windows7

[ Video of How to use System Restore ]

Boot in safe mode

Sometimes you can not delete a file. You should boot in safe mode and then try to delete it.

How to boot in safe in windows XP
How to boot in safe mode in windows Vista
How to boot in safe mode in windows7

View Hidden Files

You need to enable to view hidden files and folders before searching.
How to Enable to View Hidden Files and Folders in Windows XP
How to Enable to View Hidden Files and Folders in Windows Vista
How to Enable to View Hidden Files and Folders in Windows7

[ Video of How to enable Hidden files and folders ]

Remove Processes from Task Manager

Press Ctrl Alt Del keys to open the Task Manager. Select Processes tab. You will see a list. Look for the names Wapp.exe in it. Select if found any and press the End Process button. It will ask for your confirmation to end that process. Select Yes. You can end one process at a time. You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista. It shows the path of a process and its publisher. Harmful processes may be shown under Unknown Publisher in windows defender. Whereas in Windows7 you can find that out from the task manager itself. You can watch a video on How to use Windows Defender.

How to use Windows Defender in windows XP
How to use Windows Defender in windows Vista
How to use Windows Defender in windows7

Or you can use Sysinternal's Process Explorer. How to use Sysinternal's Process Explorer

[Video of How to use Sysinternal's/ Windows Process Explorer]

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box.
In xp by clicking on Start > run . The windows startup is reversible. You can check / uncheck any entry from windows startup any number of times. Watch a video on How to Use the Windows Startup

Open system configuration window.Click on the Startup tab. You will see a list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer. That will show you the full path of the program. Locate and uncheck the boxes in front of these names "Wapp.exe" (also look for any other suspicious names)Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

modified services

While still in the above window, click on Services tab. Click on "Hide All Microsoft Services". Look for ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS). If they are checked, then do nothing. If they are unchecked then you need to check them again.

Locate and Check the box in front of these services if they are unchecked. Press Apply. Press Ok/close. Click on "restart" at the next prompt.

Deleting files

The computer will restart now. Delete the following files and folders. Boot in safe mode or boot in the dos prompt if needed. You can use windows search utility to search for Wapp.exe

Files
%CommonPrograms%\Startup\Wapp.exe
C:\Windows\Tasks\startt.job

You can see the path of %CommonPrograms% for your version of windows on this link

Folders
-

Files in Temp folder
-

Installer File
[file and pathname of the sample #1]

(We do not know the name or the location of sample #1, it could be in your default download location or on the desktop or in a Temp folder. The files and folders in the Temp folder can be automatically removed, if you use a freeware temp files/ registry cleaner software like CCleaner)
Folders
-

Repair Hosts File

To repair/ edit the hosts file. Login as administrator. open the following file in notepad
C:\ WINDOWS \system32 \drivers \etc \hosts
remove anything other than 127.0.0.1 Localhost, and save and close the file.

Registry Keys

Some of the registry keys will be automatically removed if you run Registry menu of CCleaner. For others you can see the report mentioned at the beginning of this article .

Using CCleaner

You can easily remove the files in the temp folder by running CCleaner. You can set CCleaner to run automatically each time the computer starts. Do not forget to run CCleaner > Registry menu to remove the obsolete registry entries.