Troj/WTH-A is a backdoor Trojan that is usually distributed by a malicious script hosted on a website. The malicious script will drop and run C:\wsysc.exe. This EXE drops wthunk32.dll into the Windows system folder or into the application data folder indicated by the registry entry
HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer\ShellFolders\AppData
and sets the following registry entries to load the dropped DLL whenever Explorer is executed:
Under Win9x:
HKCR\CLSID\(3F143C3A-1457-6CCA-03A7-7AA23B61E40F)\
InProcServer32\<Default> = <Path to wthunk32.dll>
HKCR\CLSID\(3F143C3A-1457-6CCA-03A7-7AA23B61E40F)\
InProcServer32\ThreadingModel = Apartment
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\
(3F143C3A-1457-6CCA-03A7-7AA23B61E40F) = Advanced Features
Under NT/2K/XP:
HKCU\SOFTWARE\Classes\CLSID\(3F143C3A-1457-6CCA-03A7-7AA23B61E40F)
\ InProcServer32\<Default> = <Path to wthunk32.dll>
HKCU\SOFTWARE\Classes\CLSID\(3F143C3A-1457-6CCA-03A7-7AA23B61E40F)
\ InProcServer32\ThreadingModel = Apartment
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
Advanced Features = (3F143C3A-1457-6CCA-03A7-7AA23B61E40F)
Wsysc.exe executes the dropped DLL using rundll32.exe. Wthunk32.dll is the main backdoor component. It deletes its dropper EXE C:\wsysc.exe and opens a backdoor on a random TCP port (PortNumber > 5000) to provide a proxy server for the attacker.
Troj/WTH-A also connects to a website to get backdoor commands.