Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.AK [Threat Variant Name]

Category trojan
Size 75776 B
Detection created Sep 11, 2014
Detection database version 10402
Aliases Backdoor.Win32.Androm.gxgn (Kaspersky)
  Worm:Win32/Gamarue.AR (Microsoft)
  Trojan.MulDrop5.53534 (Dr.Web)
Short description

Win32/TrojanDownloader.Wauchos.AK is a trojan which tries to download other malware from the Internet. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­ms%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%allusersprofile%\­ms%variable1%.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%allusersprofile%\­ms%variable1%.exe"

A string with variable content is used instead of %variable1-2% .

The trojan launches the following processes:

  • %windir%\­system32\­msiexec.exe
  • %windir%\­SysWOW64\­msiexec.exe

The trojan creates and runs a new thread with its own code within these running processes.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" =1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" = 1

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • netmon.exe
  • procmon.exe
  • VMUSrvc.exe
  • wireshark.exe
Information stealing

Win32/TrojanDownloader.Wauchos.AK is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • volume serial number
  • the IP address of the router in the local network

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (8) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send gathered information

The following services are disabled:

  • wscsvc
  • SharedAccess
  • MpsSvc
  • WinDefend
  • wuauserv

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Please enable Javascript to ensure correct displaying of this content and refresh this page.