Win32/TrojanDownloader.Waski [Threat Name] go to Threat

Win32/TrojanDownloader.Waski.Y [Threat Variant Name]

Category trojan
Size 6144 B
Detection created Aug 04, 2015
Signature database version 12039
Aliases TrojanDownloader:Win32/Upatre.BX (Microsoft)
Short description

Win32/TrojanDownloader.Waski.Y is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan runs the following process:

  • svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.


The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Cryptography\­RNG]
    • "Seed" = %binvalue%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Hardware Profiles\­0001\­Software\­Microsoft\­windows\­CurrentVersion\­Internet Settings]
    • "ProxyEnable" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Connections]
    • "SavedLegacySettings" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap]
    • "ProxyBypass" = 1
    • "IntranetName" = 1
    • "UNCAsIntranet" = 1
Other information

The trojan contains a list of URLs.


It tries to download several files from the addresses. The HTTP protocol is used in the communication.


The files contain encrypted executables.


After decryption, the trojan runs these files.

Please enable Javascript to ensure correct displaying of this content and refresh this page.