Win32/TrojanDownloader.Wauchos [Threat Name] go to Threat
Win32/TrojanDownloader.Wauchos.X [Threat Variant Name]
| Category | trojan |
| Size | 105843 B |
| Aliases | Trojan.Win32.Vague.bp (Kaspersky) |
Short description
Win32/TrojanDownloader.Wauchos.X is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %allusersprofile%\ms%variable1%.exe
- %userprofile%\ms%variable1%.exe
- %allusersprofile%\explorer.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Start WingMan Profiler" = "%allusersprofile%\explorer.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Start WingMan Profiler" = "%allusersprofile%\explorer.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
- "Load" = "%userprofile%\ms%variable1%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "%variable2%" = "%allusersprofile%\ms%variable1%.exe"
A string with variable content is used instead of %variable1-2% .
The trojan launches the following processes:
- %windir%\system32\msiexec.exe
- %windir%\SysWOW64\msiexec.exe
The trojan creates and runs a new thread with its own code within these running processes.
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "TaskbarNoNotification" = 1
- "HideSCAHealth" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "TaskbarNoNotification" = 1
- "HideSCAHealth" = 1
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "EnableLUA" = 0
After the installation is complete, the trojan deletes the original executable file.
Information stealing
Win32/TrojanDownloader.Wauchos.X is a trojan that steals sensitive information.
The trojan collects the following information:
- operating system version
- volume serial number
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- uninstall itself
The trojan checks for Internet connectivity by trying to connect to the following addresses:
- update.microsoft.com
- microsoft.com
- bing.com
- google.com
- yahoo.com
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
The trojan opens TCP port 3232 .
The following services are disabled:
- wscsvc
- SharedAccess
- MpsSvc
- WinDefend
- wuauserv
The trojan may create and run a new thread with its own program code within any running process.
The trojan hooks the following Windows APIs:
- GetAddrInfoW (ws2_32.dll)
- ZwMapViewOfSection (ntdll.dll)
- ZwUnmapViewOfSection (ntdll.dll)