Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.L [Threat Variant Name]

Category trojan
Size 177983 B
Aliases Backdoor.Win32.Androm.woh (Kaspersky)
  BDS/Androm.woh (Avira)
Short description

Win32/TrojanDownloader.Wauchos.L is a trojan which tries to download other malware from the Internet.


The trojan may create copies of itself using the following filenames:

  • %userprofile%\­Local Settings\­Temp\­cc%variable1%.%extension%
  • %allusersprofile%\­Local Settings\­Temp\­cc%variable1%.%extension%

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%userprofile%\­Local Settings\­Temp\­cc%variable1%.%extension%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%allusersprofile%\­Local Settings\­Temp\­cc%variable1%.%extension%"

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2% .

The %extension% is one of the following strings:

  • exe
  • com
  • scr
  • pif
  • cmd
  • bat

The trojan launches the following processes:

  • %originalmalwarefilepath%
  • %windows%\­system32\­wuauclt.exe
  • %windows%\­syswow64\­svchost.exe

The trojan creates and runs a new thread with its own code within these running processes.

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • create Registry entries
  • delete Registry entries
  • uninstall itself

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft]
  • [HKEY_CURRENT_USER\­Software\­Microsoft]

Please enable Javascript to ensure correct displaying of this content and refresh this page.