Home / malwarePDF  

Trojan:Win32/Wysotot.B


First posted on 13 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Wysotot.B.

Explanation :

Threat behavior

Installation

Trojan:Win32/Wysotot.B is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:



Once installed the trojan adds itself as a service with the name €œWsys Service€ or €œDProtect Service€.

It might add an uninstall entry with the name €œWsys Control <version number>". Running this uninstaller might remove Win32/Wysotot.B from your PC.



Payload

Changes browser settings

Win32/Wysotot.B checks if you click on any of the shortcuts for these browsers:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera


When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:

  • v9.com
  • 22find.com
  • 22apple.com
  • qvo6.com
  • portaldosites.com
  • delta-homes.com


Win32/Wysotot.B does this by changing what your browser shortcut points to. For example, a shortcut file to:

C:\Program Files\Internet Explorer\iexplore.exe

Will be changed to:

"C:\Program Files\Internet Explorer\iexplore.exe" hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>

The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: ""C:\Program Files\Internet Explorer\iexplore.exe" http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>"

Additional information

Win32/Wysotot.B sends the status of any security software on your PC to a command-and-control (C&C) server.

It can also download, run, and kill processes. Commands include:

  • start
  • run
  • stop
  • uninstall
  • kill
  • restart




Analysis by Geoff McDonald



Symptoms

The following could indicate that you have this threat on your PC:

  • Your web browser redirects to an unexpected page when you open it
  • You see an uninstaller called "Wsys Control":

Last update 13 November 2013

 

TOP

Malware :

Family: