Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.I [Threat Variant Name]

Category trojan
Size 133446 B
Aliases Worm:Win32/Gamarue.P (Microsoft)
Short description

Win32/TrojanDownloader.Wauchos.I is a trojan which tries to download other malware from the Internet. The file is run-time compressed using RAR SFX .


When executed, the trojan creates the following files:

  • %temp%\­IXCHAUEE\­9ji8wk (17936 B)
  • %temp%\­IXCHAUEE\­KQDSMFOF.exe (40960 B, Win32/TrojanDownloader.Wauchos.I)

The trojan launches the following processes:

  • %temp%\­IXCHAUEE\­KQDSMFOF.exe
  • %windows%\­system32\­svchost.exe
  • %windows%\­system32\­msiexec.exe

The trojan creates and runs a new thread with its own code within these running processes.

The trojan may create copies of itself using the following filenames:

  • %allusersprofile%\­dx%variable1%.exe
  • %allusersprofile%\­svchost.exe
  • %userprofile%\­dx%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "SunJavaUpdateSched" = "%allusersprofile%\­svchost.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%userprofile%\­dx%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%allusersprofile%\­dx%variable1%.exe"

A string with variable content is used instead of %variable1-2% .

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%injectedfilepath%" = "%injectedfilepath%:*:Generic Host Process"

The performed command creates an exception in the Windows Firewall.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • uninstall itself

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]

The trojan hooks the following Windows APIs:

  • GetAddrInfoW (ws2_32.dll)
  • ZwMapViewOfSection (ntdll.dll)
  • ZwUnmapViewOfSection (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.