Follow:

 

Trojan:Win32/Wysotot.E


Microsoft security software detects and removes this threat.

This threat can make changes to your web browser start page. It can also install other malware, including Trojan:Win32/Wysotot.D.

It is usually installed on your PC by software bundlers that advertise free software or games.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Wysotot.E is usually installed on your PC by software bundlers that advertise free software or games.

Payload

Installs other malware

Win32/Wysotot.E can install additional programs, including clean browser plugins or toolbars, and other malware. These programs are usually extracted to %TEMP%\v9zip_000\ and then run.

For example, we have seen this threat install:

  • %TEMP % \v9zip_000\autorun.exe

We detect this file as Trojan:Win32/Wysotot.D, which installs itself as checkrun22apple.exe under directory %HOMEPATH%\Application Data.

Changes browser settings

Win32/Wysotot.E changes the start page of some web browsers by changeng browser shortcuts and registry values.

It changes browser shortcuts (.lnk) to point the browser home page to a predefined website. The trojan searches these folders for .lnk files.

  • All Users\Desktop
  • All Users\Start Menu\Programs
  • Start Menu\Programs
  • Start Menu\Programs\Startup
  • <user name>\Application Data to get Quick Launch
  • <user name>\Desktop

The trojan can change the home page for the following browsers:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe

Example of the shortcuts that can be modified include:

  • application data\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
  • start menu\programs\internet explorer.lnk
  • desktop\launch internet explorer browser.lnk

Examples of pages it redirects to include:

  • 22find.com
  • 22apple.com
  • delta-homes.com
  • portaldosites.com
  • qone8.com
  • qvo6.com
  • v9.com

Win32/Wysotot.E enumerates the following registry key looking for shell open command registry values pointing to web browsers:

  • HKLM\SOFTWARE\Clients\StartMenuInternet

Examples of the modified registry value include:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(default)"
With data: ""%ProgramFiles%\internet explorer\iexplore.exe" http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In addition, it can change one of the following registry values to point to one of these websites:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing
Sets value: "1"
With data: "NewTabPageShow"

Analysis by Shali Hsieh


Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file:
    %TEMP%\v9zip_000\autorun.exe

Prevention


Alert level: Severe
First detected by definition: 1.167.1946.0
Latest detected by definition: 1.191.3855.0 and higher
First detected on: Mar 14, 2014
This entry was first published on: Mar 26, 2014
This entry was updated on: Sep 02, 2014

This threat is also detected as:
  • Crypt_s.EDM (AVG)
  • Adware.Mutabaha.20 (Dr.Web)
  • PUP-FDW!9697307E1145 (McAfee)
  • Win32/ELEX.D (ESET)