WAM.SYS (LEGACY_WAM) - is it spyware or unused IBM driver ?

Message

Puppy · #1 Post by **Puppy** » Tue Jan 18, 2005 3:24 pm

I found strange driver and related service in my registry with description "Wicked Access by Mark". It looks like a spyware at first glance. Google didn't help much except one posting which has additional information from the registry where imagepath to the (non-existing) WAM service was: \??\C:\Program Files\IBM\IBM Rapid Restore Ultra\WAM.sys

I don't have such file on my disk. Can someone confirm that the registry key (LEGACY_WAM) is on his/her machine as well ? I still can not believe that IBM would choose such stupid description for part of their product.

s0larian · #2 Post by **s0larian** » Tue Jan 18, 2005 6:24 pm

I have R&R 2.0 installed, but there is no key called LEGACY_WAM in the registry.

Leeper · #3 Post by **Leeper** » Tue Jan 18, 2005 7:17 pm

I know I have seen this somewhere and it ends up being a safe file haveing to do with IBM.

I will keep digging but I do remember it as not being spyware.

Puppy · #4 Post by **Puppy** » Sat Jan 22, 2005 9:42 pm

I did complete reinstall and the seems to be there again.

Anyway, could someone else please confirm that you have the key in your registry as well. I'm getting little bit nervous ;-) It seems to be related to Rapid Restore Ultra 4.0 but who knows ...

The key is located in the registry at following locations:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WAM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WAM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WAM

Thanks.

Puppy · #5 Post by **Puppy** » Sun Jan 23, 2005 8:23 am

More on this issue. I restored registry hive file from backup I've made after fresh reinstall and the WAM registry keys were there as well. So it looks like it is part of IBM preinstall. But the driver name still does not make me feeling "safe" because it reminds a stealth virus/spyware loader.

I don't think I could ever get a response from IBM ;-) I asked someone with T41 and he didn't confirmed presence of these registry keys.

Puppy · #6 Post by **Puppy** » Fri Jan 28, 2005 5:44 am

Hmmm ... am I really alone with this issue ?

Puppy · #7 Post by **Puppy** » Tue May 09, 2006 5:18 am

Confirmed, the driver is part of IBM software. I found another reference to it in a support forum http://forums.spywareinfo.com/lofiversi ... 60434.html

experttease · #8 Post by **experttease** » Sat Oct 20, 2007 6:45 am

I get this service trying to start each time windows starts, and Comodo Antivirus stops it each time with its HIPS Aplication Control (don't really know what it is). whether I block it or allow it comodo never remembers my choice and it starts on reboot. It's pretty annoying. Any ideas? Comodo Antivirus is still in beta.

WAM.SYS (LEGACY_WAM) - is it spyware or unused IBM driver ?

WAM.SYS (LEGACY_WAM) - is it spyware or unused IBM driver ?

Who is online