Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat

Win32/TrojanDownloader.Wauchos.X [Threat Variant Name]

Category trojan
Size 105843 B
Aliases Trojan.Win32.Vague.bp (Kaspersky)
Short description

Win32/TrojanDownloader.Wauchos.X is a trojan which tries to download other malware from the Internet.


When executed, the trojan copies itself in some of the the following locations:

  • %allusersprofile%\­ms%variable1%.exe
  • %userprofile%\­ms%variable1%.exe
  • %allusersprofile%\­explorer.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Start WingMan Profiler" = "%allusersprofile%\­explorer.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Start WingMan Profiler" = "%allusersprofile%\­explorer.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "Load" = "%userprofile%\­ms%variable1%.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%variable2%" = "%allusersprofile%\­ms%variable1%.exe"

A string with variable content is used instead of %variable1-2% .

The trojan launches the following processes:

  • %windir%\­system32\­msiexec.exe
  • %windir%\­SysWOW64\­msiexec.exe

The trojan creates and runs a new thread with its own code within these running processes.

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
    • "HideSCAHealth" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/TrojanDownloader.Wauchos.X is a trojan that steals sensitive information.

The trojan collects the following information:

  • operating system version
  • volume serial number

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • uninstall itself

The trojan checks for Internet connectivity by trying to connect to the following addresses:


The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]

The trojan opens TCP port 3232 .

The following services are disabled:

  • wscsvc
  • SharedAccess
  • MpsSvc
  • WinDefend
  • wuauserv

The trojan may create and run a new thread with its own program code within any running process.

The trojan hooks the following Windows APIs:

  • GetAddrInfoW (ws2_32.dll)
  • ZwMapViewOfSection (ntdll.dll)
  • ZwUnmapViewOfSection (ntdll.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.