Wapomi

Category: worm_banker · Aliases: Virus.Wapomi, W32.Wapomi, PE_WAPOMI · Sample count (EMBER 2018): 5,191 · Enrichment: documented_reference_only · Updated: 2026-07-02T07:49:34Z

Overview

Executive Summary

Wapomi is a destructive File Infector (parasitic virus) and worm that was highly prevalent in the late 2000s and early 2010s. Unlike modern Trojans that simply drop a payload, Wapomi physically alters existing executable files (`.exe`, `.dll`) on the infected host, appending its malicious code to them. Its primary objective is aggressive self-replication across local drives, network shares, and removable media, often causing widespread system corruption and instability.

Infection Vector and Technical Capabilities

Wapomi spreads rapidly without requiring active human interaction once introduced to an environment. The initial infection usually occurs via an infected USB drive, a malicious email attachment, or by executing a file downloaded from an untrusted P2P network. Its technical core relies on aggressive modification and propagation:

Threat Assessment

A Wapomi infection is a highly disruptive event. While it may not explicitly steal data, its rapid propagation via network shares can quickly paralyze an entire corporate network, corrupting thousands of legitimate files and requiring massive remediation efforts.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1091 T1055.009 T1105

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_WAPOMI {
    meta:
        description = "Detects Wapomi (worm_banker)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "wapomi" ascii wide nocase
        $s2 = "virus.wapomi" ascii wide nocase
        $s3 = "w32.wapomi" ascii wide nocase
        $s4 = "pe_wapomi" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Wapomi Activity
id: bf1e1be38d8cdfb39e70ec8f0a8856e9
status: experimental
description: Detects generic indicators of the wapomi malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*wapomi*"
            - "*virus.wapomi*"
            - "*w32.wapomi*"
            - "*pe_wapomi*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about wapomi?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: worm_banker)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wapomi.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.