Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.B [Threat Variant Name]

Category trojan
Size 47224 B
Detection created Apr 12, 2012
Detection database version 10012
Aliases Worm:Win32/Gamarue.F (Microsoft)
  Worm/Gamarue.F.147 (Avira)
Short description

Win32/TrojanDownloader.Wauchos.B is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%
  • %userprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%

A string with variable content is used instead of %variable% .


The %fileextension% is one of the following strings:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%randomnumber%" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"

This causes the trojan to be executed on every system start.


The trojan creates and runs a new thread with its own program code within the following processes:

  • %windir%\­system32\­wuauclt.exe
  • %windir%\­syswow64\­svchost.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • delete Registry entries
  • remove itself from the infected computer
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.