is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:
Once installed the trojan adds itself as a service with the name “Wsys Service” or “DProtect Service”.
It might add an uninstall entry with the name “Wsys Control <version number>". Running this uninstaller might remove Win32/Wysotot.B from your PC.
Changes browser settings
Win32/Wysotot.B checks if you click on any of the shortcuts for these browsers:
When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:
Win32/Wysotot.B does this by changing what your browser shortcut points to. For example, a shortcut file to:
C:\Program Files\Internet Explorer\iexplore.exe
Will be changed to:
"C:\Program Files\Internet Explorer\iexplore.exe" hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>
The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:
In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: ""C:\Program Files\Internet Explorer\iexplore.exe" http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>"
Win32/Wysotot.B sends the status of any security software on your PC to a command-and-control (C&C) server.
It can also download, run, and kill processes. Commands include:
Analysis by Geoff McDonald
The following could indicate that you have this threat on your PC:
- Your web browser redirects to an unexpected page when you open it
- You see an uninstaller called "Wsys Control":