Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.C [Threat Variant Name]

Category trojan
Size 73728 B
Aliases Worm:Win32/Gamarue.I (Microsoft)
  PWS-Zbot.gen.agu.trojan (McAfee)
  Win32:Downloader-OMU (Avast)
Short description

Win32/TrojanDownloader.Wauchos.C is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself in some of the the following locations:

  • %allusersprofile%\­svchost.exe
  • %allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%
  • %userprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%

A string with variable content is used instead of %variable% .

The %fileextension% is one of the following strings:

  • .exe
  • .com
  • .scr
  • .pif
  • .cmd
  • .bat

The file is then executed.

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%randomnumber%" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%allusersprofile%\­Local Settings\­Temp\­ms%variable%.%fileextension%"

This causes the trojan to be executed on every system start.

The trojan can create and run a new thread with its own program code within the following processes:

  • %windir%\­system32\­wuauclt.exe
  • %windir%\­SysWOW64\­svchost.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • computer IP address

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (5) URLs. The HTTP, TCP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • delete Registry entries
  • remove itself from the infected computer
  • send gathered information

The trojan opens TCP port 8000 .

The trojan launches the following processes:

  • cmd.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.