Win32/Waspace [Threat Name] go to Threat

Win32/Waspace.AA [Threat Variant Name]

Category trojan
Size 245760 B
Detection created May 11, 2015
Detection database version 11608
Aliases TrojanDropper:Win32/Swisyn.gen!A (Microsoft)
Short description

Win32/Waspace.AA is a trojan that can interfere with the operation of certain applications.

Installation

When executed the trojan drops in folder %commonappdata%\DRM\RECOVERY\ the following file:

  • taskguard.exe

A "desktop.lnk" file is dropped in the %startup% folder.


The file is a shortcut to a malicious file.


The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%malwarefilepath%"

This causes the trojan to be executed on every system start.


The trojan runs the following processes:

  • %commonappdata%\­DRM\­RECOVERY\­taskguard.exe
  • %malwarefolder%\­wasppacer.exe -l=croko -m=10 -a=1
Other information

The following programs are terminated:

  • winlogon.exe
  • csrss.exe
  • smss.exe
  • svvhost.exe
  • svchost.exe
  • wizard.exe

Then the trojan deletes these files.


The trojan may delete the following files:

  • %malwarefolder%\­waagent.exe
  • %localappdata%\­WaspAce\­options.wao

The trojan can modify the following file:

  • %localappdata%\­WaspAce\­Leveling\­pholder1.cm

The trojan affects the behavior of the following applications:

  • wasppacer.exe

The trojan hides windows of running processes which contain any of the following strings in their title:

  • Wasppacer
  • Wasppacer [defix]

Please enable Javascript to ensure correct displaying of this content and refresh this page.