Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.A [Threat Variant Name]

Category	trojan
Size	58880 B
Aliases	Trojan.Win32.Tipp.esf (Kaspersky)
	Worm:Win32/Gamarue.F (Microsoft)
	BackDoor.Andromeda.22 (Dr.Web)

Win32/TrojanDownloader.Wauchos.A is a trojan which tries to download other malware from the Internet.

When executed, the trojan copies itself in some of the the following locations:

A string with variable content is used instead of %variable% .

The %fileextension% is one of the following strings:

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "random_number" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"

This causes the trojan to be executed on every system start.

The trojan can create and run a new thread with its own program code within the following processes:

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (6) URLs. The HTTP protocol is used.

It can execute the following operations: