Trojan:Win32/Wysotot is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:
Once installed the trojan adds itself as a service with the name Wsys Service or DProtect Service.
It might add an uninstall entry with the name Wsys Control <version number>. Running this uninstaller might remove Win32/Wysotot from your PC.
Changes browser settings
checks if you click on any of the shortcuts for these browsers:
When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:
does this by changing what your browser shortcut points to. For example, a shortcut file to:
C:\Program Files\Internet Explorer\iexplore.exe
Will be changed to:
C:\Program Files\Internet Explorer\iexplore.exe hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>
The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:
In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: ""C:\Program Files\Internet Explorer\iexplore.exe" http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>"
sends the status of any security software on your PC to a command-and-control (C&C) server.
It can also download, run, and kill processes. Commands include:
Analysis by Geoff McDonald
The following could indicate that you have this threat on your PC:
- Your web browser redirects to an unexpected page when you open it
- You see an uninstaller called Wsys Control: