Follow:

 

Trojan:Win32/Wysotot.A


Microsoft security software detects and removes this threat.

This trojan can change the start page of your web browser.

It is installed on your PC by software bundlers that advertise free software or games.



What to do now

This trojan creates an uninstaller that can be accessed from the Control Panel.
  • For Windows 8, open the Start screen, type Uninstall and then go to Settings. In the search results, go to Uninstall a program.
  • For Windows 7 and Vista, open the Start menu and navigate to Control Panel then Programs and then Uninstall a Program
  • For XP, open the Start menu and navigate to Control Panel then Add or Remove Programs

The entry for this program may be called "Wsys Control <version number>".

If an uninstaller is not available, does not work properly, or you do not want to use it, the following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

Trojan:Win32/Wysotot.A is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:

Once installed the trojan adds itself as a service with the name Wsys Service or DProtect Service.

It might add an uninstall entry with the name Wsys Control <version number>. Running this uninstaller might remove Win32/Wysotot.A from your PC.

Payload

Changes browser settings

Win32/Wysotot.A checks if you click on any of the shortcuts for these browsers:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera

When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:

  • v9.com
  • 22find.com
  • 322apple.com
  • qvo6.com
  • portaldosites.com
  • delta-homes.com

Win32/Wysotot.A does this by changing what your browser shortcut points to. For example, a shortcut file to:

C:\Program Files\Internet Explorer\iexplore.exe

Will be changed to:

C:\Program Files\Internet Explorer\iexplore.exe hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>

The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: "C:\Program Files\Internet Explorer\iexplore.exe http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>"

Additional information

Win32/Wysotot.A sends the status of any security software on your PC to a command-and-control (C&C) server.

It can also download, run, and kill processes. Commands include:

  • start
  • run
  • stop
  • uninstall
  • kill
  • restart

Analysis by Geoff McDonald 


Symptoms

The following could indicate that you have this threat on your PC:

  • Your web browser redirects to an unexpected page when you open it
  • You see an uninstaller called Wsys Control:


Prevention


Alert level: Severe
First detected by definition: 1.161.1141.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 31, 2013
This entry was first published on: Oct 30, 2013
This entry was updated on: Mar 14, 2014

This threat is also detected as:
No known aliases