Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.C [Threat Variant Name]

Category	trojan
Size	73728 B
Aliases	Worm:Win32/Gamarue.I (Microsoft)
	PWS-Zbot.gen.agu.trojan (McAfee)
	Win32:Downloader-OMU (Avast)

Win32/TrojanDownloader.Wauchos.C is a trojan which tries to download other malware from the Internet.

When executed, the trojan copies itself in some of the the following locations:

A string with variable content is used instead of %variable% .

The %fileextension% is one of the following strings:

The file is then executed.

The trojan may set the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "SunJavaUpdateSched" = "%allusersprofile%\svchost.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%randomnumber%" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%allusersprofile%\Local Settings\Temp\ms%variable%.%fileextension%"

This causes the trojan to be executed on every system start.

The trojan can create and run a new thread with its own program code within the following processes:

After the installation is complete, the trojan deletes the original executable file.

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used.

It can execute the following operations:

The trojan opens TCP port 8000 .

The trojan launches the following processes: