Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat
Win32/TrojanDownloader.Wauchos.C [Threat Variant Name]
Category | trojan |
Size | 73728 B |
Aliases | Worm:Win32/Gamarue.I (Microsoft) |
PWS-Zbot.gen.agu.trojan (McAfee) | |
Win32:Downloader-OMU (Avast) |
Short description
Win32/TrojanDownloader.Wauchos.C is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %allusersprofile%\svchost.exe
- %allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%
- %userprofile%\Local Settings\Temp\ms%variable%.%fileextension%
A string with variable content is used instead of %variable% .
The %fileextension% is one of the following strings:
- .exe
- .com
- .scr
- .pif
- .cmd
- .bat
The file is then executed.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%randomnumber%" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
This causes the trojan to be executed on every system start.
The trojan can create and run a new thread with its own program code within the following processes:
- %windir%\system32\wuauclt.exe
- %windir%\SysWOW64\svchost.exe
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- information about the operating system and system settings
- computer IP address
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- delete Registry entries
- remove itself from the infected computer
- send gathered information
The trojan opens TCP port 8000 .
The trojan launches the following processes:
- cmd.exe