Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat
Win32/TrojanDownloader.Wauchos.B [Threat Variant Name]
|Detection created||Apr 12, 2012|
|Signature database version||10012|
Win32/TrojanDownloader.Wauchos.B is a trojan which tries to download other malware from the Internet.
When executed, the trojan copies itself in some of the the following locations:
- %allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%
- %userprofile%\Local Settings\Temp\ms%variable%.%fileextension%
A string with variable content is used instead of %variable% .
The %fileextension% is one of the following strings:
The file is then executed.
The trojan may set the following Registry entries:
- "%randomnumber%" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
This causes the trojan to be executed on every system start.
The trojan creates and runs a new thread with its own program code within the following processes:
After the installation is complete, the trojan deletes the original executable file.
The trojan collects the following information:
- information about the operating system and system settings
- computer IP address
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (3) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- delete Registry entries
- remove itself from the infected computer
- send gathered information