Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat
Win32/TrojanDownloader.Wauchos.L [Threat Variant Name]
Category | trojan |
Size | 177983 B |
Aliases | Backdoor.Win32.Androm.woh (Kaspersky) |
BDS/Androm.woh (Avira) |
Short description
Win32/TrojanDownloader.Wauchos.L is a trojan which tries to download other malware from the Internet.
Installation
The trojan may create copies of itself using the following filenames:
- %userprofile%\Local Settings\Temp\cc%variable1%.%extension%
- %allusersprofile%\Local Settings\Temp\cc%variable1%.%extension%
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%userprofile%\Local Settings\Temp\cc%variable1%.%extension%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable2%" = "%allusersprofile%\Local Settings\Temp\cc%variable1%.%extension%"
This causes the trojan to be executed on every system start.
A string with variable content is used instead of %variable1-2% .
The %extension% is one of the following strings:
- exe
- com
- scr
- pif
- cmd
- bat
The trojan launches the following processes:
- %originalmalwarefilepath%
- %windows%\system32\wuauclt.exe
- %windows%\syswow64\svchost.exe
The trojan creates and runs a new thread with its own code within these running processes.
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- operating system version
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (7) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- create Registry entries
- delete Registry entries
- uninstall itself
The trojan checks for Internet connectivity by trying to connect to the following addresses:
- www.update.microsoft.com
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\Software\Microsoft]
- [HKEY_CURRENT_USER\Software\Microsoft]