virus logo Virus

W32/Wauchos.K!tr

description-logoAnalysis


W32/Wauchos.K!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Wauchos.K!tr may have varying behavior.
Below are examples of some of these behaviors:

  • It copies itself to the user's profile folder, or the All Users' profile folder.

  • The following registry modifications are applied:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
      • [Random] = "undefinedAllUsersProfileundefined\dx[Random Characters].exe"

    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
      • load = "undefinedUserProfileundefined\dx[Random Characters].exe"

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
      • [Malware Filename] = "[Malware Filename]:*:Generic Host Process"

  • It attempts to inject code into "svchost.exe" and "msiexec.exe" before terminating its original process. The injected codes enable the two processes "svchost.exe" and "msiexec.exe" to protect each other from being terminated.

  • It attempts to protect its copy from being modified or deleted.

  • It attempts to protect its registry keys from being modified or deleted.

  • It attempts to connect to the following URLs:
    • http://be{Removed}.su/alter.php
    • http://planp{Removed}.com/login.php
    • http://dn{Removed}.su/billing.php
    • http://bizw{Removed}.net/filling.php
    • http://xdq{Removed}.ru/in.php
    • http://a{Removed}m0rph.su/in.php
    • http://b{Removed}uehky.nl/in.php
    • http://yg{Removed}hct.in/in.php

  • It attempts to download files using HTTP, then executes them.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-09-09 90.05835
2022-05-31 90.02802
2019-09-05 71.39200 Sig Updated
2019-08-28 71.20000 Sig Updated
2019-04-02 67.50600 Sig Updated
ID 5216097
Released Jul 15, 2013
Description
Updated		 Oct 25, 2013
Aliases Trojan-Ransom.Win32.Blocker.cckn (KAV), Troj/Inject-ANB (Sophos), Win32/TrojanDownloader.Wauchos.K trojan (NOD32)
Platform Profile Win32 file format / PE 32 bit