VirusW32/Wauchos.AF!tr.dldr
Analysis
W32/Wauchos.AF!tr.dldr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Wauchos.AF!tr.dldr may have varying behavior.
Below are examples of some of these behavior:
- The malware applies autostart registry modifications to be able to start itself automatically.
- It creates a new subfolder in the user's Application Data folder using a randomized folder name. It then drops another malware detected as W32/Tinba.BA!tr into this folder. The file name of this malware is also randomized.
- It modifies the following security-related Windows registry settings in order to evade detection:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HideSCAHealth = 0
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
- EnableLUA = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden = 0
- Hidden = 2
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- It has been observed to perform a DNS query on the site d{Removed}sdk3d111.ru.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |