Win32/Wolcape [Threat Name] go to Threat

Win32/Wolcape.A [Threat Variant Name]

Category trojan
Size 307200 B
Aliases Backdoor:Win32/Caphaw.G (Microsoft)
Short description

Win32/Wolcape.A is a trojan that overwrites MBR of all available drives with its own data. Win32/Wolcape.A installs a backdoor that can be controlled remotely. It uses techniques common for rootkits.


The trojan does not create any copies of itself.

The trojan creates the following files:

  • %system%\­%variable%

A string with variable content is used instead of %variable% .

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "FlashPlayerUpdate" = "%malwarefilepath%"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA"=0

The trojan replaces the Master Boot Record with its own code that will gain control of the compromised computer when it restarts.

The trojan may perform operating system restart.

The trojan displays the following dialog boxes:

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version
  • installed Microsoft Windows patches

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan quits immediately if any of the following folder(s)/file(s) is/are detected:

  • C:\­GRLDR
  • C:\­XELDZ

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • update itself to a newer version
  • run executable files

The trojan hides its presence in the system.

The trojan terminates various security related applications.

The trojan may create the following files:

  • %temp%\­%variable%

A string with variable content is used instead of %variable% .

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.