Win32/Wemosis [Threat Name] go to Threat

Win32/Wemosis.H [Threat Variant Name]

Category trojan
Size 86952 B
Detection created Mar 25, 2015
Detection database version 11378
Aliases Trojan.Win32.Reconyc.esie (Kaspersky)
Short description

Win32/Wemosis.H is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­System32\­Microsoft\­Windows\­System32\­svchost.exe
  • %appdata%\­Microsoft\­Windows\­svchost.exe

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Service Host" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Service Host" = "%malwarefilepath%"

This causes the trojan to be executed on every system start.


The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Identities]

After the installation is complete, the trojan deletes the original executable file.


Information stealing

Win32/Wemosis.H is a trojan that steals sensitive information.


The trojan searches memory of running processes and tries to find following information:

  • credit card information

It avoids those with any of the following strings in their names:

  • System
  • svchost.exe
  • smss.exe
  • csrss.exe
  • services.exe
  • winlogon.exe
  • lsass.exe
  • spoolsv.exe
  • wuauclt.exe
  • alg.exe
  • ctfmon.exe
  • MsMpEng.exe
  • MpCmdRun.exe
  • explorer.exe
  • wmpnetwk.exe
  • wmpnscfg.exe
  • cmd.exe
  • wininit.exe
  • SearchIndexer.exe
  • sqlservr.exe
  • mms.exe
  • WmiPrvSE.exe
  • taskhost.exe
  • dwm.exe

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Wemosis.H is a trojan that receives data and instructions for its operation from the Internet or a remote computer in a botnet.


The trojan contains a list of (7) IP addresses. The TCP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • execute shell commands
  • shut down/restart the computer
  • upload files to a remote computer
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.