W32/Wauchos.AF!tr
Analysis
W32/Wauchos.AF!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Wauchos.AF!tr may have varying behavior.
Below are examples of some of these behavior:
- Creates a copy of itself to the All Users' Profile folder using a randomized name.
- Adds the following registry to enable its automatic execution:
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\polices\Explorer\Run
- value: [Random Digits]
- data: undefinedAllUsersProfileundefined\[Random Letters].exe
- Employs techniques against emulators and security-related tools.
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |