Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.A [Threat Variant Name]

Category trojan
Size 58880 B
Detection created May 12, 2012
Signature database version 10000
Aliases Trojan.Win32.Tipp.esf (Kaspersky)
  Worm:Win32/Gamarue.F (Microsoft)
  BackDoor.Andromeda.22 (Dr.Web)
Short description

Win32/TrojanDownloader.Wauchos.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %allusersprofile%\­svchost.exe
  • %allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%
  • %userprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%

A string with variable content is used instead of %variable% .


The %fileextension% is one of the following strings:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "random_number" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"

This causes the trojan to be executed on every system start.


The trojan can create and run a new thread with its own program code within the following processes:

  • %windir%\­system32\­wuauclt.exe
  • %windir%\­syswow64\­svchost.exe
Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • remove itself from the infected computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.