Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.L [Threat Variant Name]

Category	trojan
Size	177983 B
Aliases	Backdoor.Win32.Androm.woh (Kaspersky)
	BDS/Androm.woh (Avira)

Win32/TrojanDownloader.Wauchos.L is a trojan which tries to download other malware from the Internet.

The trojan may create copies of itself using the following filenames:

The trojan may set the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%userprofile%\Local Settings\Temp\cc%variable1%.%extension%"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable2%" = "%allusersprofile%\Local Settings\Temp\cc%variable1%.%extension%"

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2% .

The %extension% is one of the following strings:

The trojan launches the following processes:

The trojan creates and runs a new thread with its own code within these running processes.

After the installation is complete, the trojan deletes the original executable file.

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (7) URLs. The HTTP protocol is used.

It can execute the following operations:

The trojan checks for Internet connectivity by trying to connect to the following addresses:

The trojan keeps various information in the following Registry keys: