Home / malwarePDF  

Trojan:Win32/Wysotot.A


First posted on 01 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Wysotot.A.

Explanation :

Threat behavior

Installation

Trojan:Win32/Wysotot.A is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Trojan:Win32/Startpage.VT is shown below:



Once installed the trojan adds itself as a service under the display name €œWsys Service€ or €œDProtect Service€.

An uninstall entry may be added under the display name €œWsys Control <version number>". Running this uninstaller may remove Win32/Wysotot.A from your PC.



Payload

Modifies browser settings

Win32/Wysotot.A monitors your PC for when you click on one of the following web browser shortcuts:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera


When you open one of the above browsers the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:

  • v9.com
  • 22find.com
  • 22apple.com
  • qvo6.com
  • portaldosites.com
  • delta-homes.com


Win32/Wysotot.A modifies browser shortcut files to redirect to one of the above websites. For example, a shortcut file to:

C:\Program Files\Internet Explorer\iexplore.exe

Will be modified to:

"C:\Program Files\Internet Explorer\iexplore.exe" hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>

The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: "C:\Program Files\Internet Explorer\iexplore.exe" http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>

Additional information

Win32/Wysotot.A sends the status of any antimalware software on your PC to a C&C server.

It can also download, run, and kill processes. Commands include:

  • start
  • run
  • stop
  • uninstall
  • kill
  • restart




Analysis by Geoff McDonald



Symptoms

The following could indicate that you have this threat on your PC:

  • Your web browser redirects to an unexpected page when you open it
  • You see these entries or keys in your registry:

    In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
    Sets value: "command"
    With data: "C:\Program Files\Internet Explorer\iexplore.exe" http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>




Last update 01 November 2013

 

TOP