Wapomi is a destructive File Infector (parasitic virus) and worm that was highly prevalent in the late 2000s and early 2010s. Unlike modern Trojans that simply drop a payload, Wapomi physically alters existing executable files (`.exe`, `.dll`) on the infected host, appending its malicious code to them. Its primary objective is aggressive self-replication across local drives, network shares, and removable media, often causing widespread system corruption and instability.
Infection Vector and Technical Capabilities
Wapomi spreads rapidly without requiring active human interaction once introduced to an environment. The initial infection usually occurs via an infected USB drive, a malicious email attachment, or by executing a file downloaded from an untrusted P2P network.
Its technical core relies on aggressive modification and propagation:
Executable Appending (File Infection): When Wapomi runs, it aggressively scans the hard drive for executable files. It injects its malicious assembly code into the target file's PE (Portable Executable) header and entry point. When a user later runs the "clean" application, the virus executes first.
Worm Propagation: Wapomi actively seeks out mapped network drives (SMB shares) and removable USB drives. It copies an infected executable to these drives and often creates an `autorun.inf` file, ensuring the virus automatically executes if the drive is plugged into another vulnerable machine.
System Instability: Because file infection is a delicate, binary-level operation, Wapomi's aggressive appending often corrupts the target executables. This leads to frequent application crashes, system instability, and the inability to launch legitimate software.
Threat Assessment
A Wapomi infection is a highly disruptive event. While it may not explicitly steal data, its rapid propagation via network shares can quickly paralyze an entire corporate network, corrupting thousands of legitimate files and requiring massive remediation efforts.
Incident Response and Remediation
Immediate Network Severance: Infected machines must be isolated from the network *immediately* to halt the worm's spread across SMB shares. Disable USB port access across the organization temporarily via Group Policy.
Aggressive File Disinfection: Standard file deletion is not an option, as it would destroy legitimate corporate applications. Enterprise antivirus must be utilized in "Disinfect" mode, attempting to carefully strip the viral code out of the infected executables and repair the original PE headers.
Mass Restoration: In severe cases of widespread corruption, disinfection may fail. IT teams must be prepared to wipe infected machines and restore applications and user files from clean, offline backups.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1091T1055.009T1105
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.