Follow:

 

Win32/Wysotot


Microsoft security software detects and removes this threat.

This family of malware can do the following:

  • Change your browser settings
  • Download and run files, including other malware

It spreads through software bundlers and download managers, like GoPlayer Download Manager, that advertise free software or games.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Remove programs

You can also manually try to remove this program:

The entry for this program might be called:

  • Wsys Control <version number>
  • Laban version <version number> 
  • DProtect Control <version number
  • eSafe Security Control <version number>

The following screenshot shows the unistallation entry for the trojan using the name "Wsys Control":

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

The trojans in this family are usually installed on your PC by software bundlers that advertise free software or games, such as the following:

We have seen the trojans use the file name Laban.exe, installed in the %APPDATA% folder.

We have also seen the trojans use the file name eGdpSvc.exe, and install it to:

They also create the following registry entries as part of their installation routine:

In subkey: HKLM\SOFTWARE\eSafeSecControl
Sets value: "sid"
With data: "eGdp"

Sets value: "pid"
With data: "eSafe"

Sets value: "ptid"
With data: "imm"

Sets value: "channel"
With data: "<channel string>" where <channel string> can be "eShengJi", "newdl", or "Gdp"

Sets value: "ver"
With data: "<version number>" where <version number> is a series of numbers in the format "XX.X.X.XXXX", for example, 10.2.1.2612

When installed, some of the variants from this malware family, such as Trojan:Win32/Wysotot.C, add themselves as a service with either of the following names:

  • Wsys Service
  • DProtect Service

These variants register the service by making changes to the registry:

In subkey: HKLM\SYSTEM\CurrentControlSet\services\WsysSvc
Sets value: "Type"
With data: "0x00000010"

Sets value: "Start"
With data: "0x00000002"

Sets value: "ErrorControl"
With data: "0x00000001"

Sets value: "ImagePath"
With data: "<location of the trojan>"

Sets value: "DisplayName"
With data: "<name of the service>"

Sets value: "Description"
With data: "<description of the service>"

Sets value: "Group"
With data: "SchedulerGroup"

Sets value: "ObjectName"
With data: "LocalSystem"

Payload

Modifying browser shortcut files

The trojans check if you click on any of the shortcuts for these browsers:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera

When you open your browser, the trojan will redirect you to a webpage that is not your standard homepage, such as:

  • 22apple.com
  • 22find.com
  • delta-homes.com
  • laban.vn
  • portaldosites.com
  • qvo6.com
  • v9.com

The malware redirects you by changing what your browser shortcut points to. For example, a shortcut file to:

C:\Program Files\Internet Explorer\iexplore.exe

Will be changed to:

C:\Program Files\Internet Explorer\iexplore.exe hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>

Changes browser settings

The malware family also modifies the following registry keys to redirect the start menu entry for Internet Explorer:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(DEFAULT)"
With data: "C:\Program Files\Internet Explorer\iexplore.exe" <one of the above-mentioned remote site>" 

They also modify the following registry keys to change the Internet Explorer start page:

In subkey: HCKU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data:  "<name of remote site>"

Sets value: "Default_Page_URL"
With data: "<name of remote site>" 

Example of a remote site:
hxxp://en.v9.com/?utm_source=b&utm_medium=<some tag>&utm_campaign=<some tag>&utm_content=sc&from=<some tag>&uid=<some texts>&ts=<some timestamp>

Download and installs other files

Win32/Wysotot connects to the following remote sites to download and install updates and other files:

Creates an uninstaller

Some variants can also create an uninstall option.

They do that by making the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl
Sets value: "DisplayName"
With data: "Wsys Control <version>"

Sets value: "DisplayVersion"
With data: "<version>"

Sets value: "Publisher"
With data: "Wsys Co., Ltd."

Sets value: "UninstallString"
With data: "<location of the trojan> <uninstall parameter>"

Sets value: "DisplayIcon"
With data: "<location of the trojan>"

We have seen trojans use the following names for the uninstaller:

  • DProtect Control <version number> 
  • eSafe Security Control <version number>
  • Laban version <version number>

The uninstallation entry can be seen in the Control Panel. Running this uninstaller might remove the malware from your PC. The uninstaller might look similar to the following:

Bypasses firewall

Some Win32/Wysotot variants attempt to bypass the system's firewall by adding the trojan's path and file name to the registry:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

We have seen it use the following CLSIDs in the registry entry:

{C83CBC6C-10E4-4294-8EB4-D3B4E39D14E0}
{6362668F-63A9-4417-852B-B96799BEDE22}

Analysis by Geoff McDonald


Symptoms

You see an uninstaller entry with one of the following names:

  • Wsys Control <version number>
  • Laban version <version number> 
  • DProtect Control <version number
  • eSafe Security Control <version number>

For example, you see the following:

 

  • Your web browser redirects you to an unexpected page when you open it
  • Your registry entries are modified (see the Payload section for details)

Prevention


Alert level: Severe
This entry was first published on: Oct 30, 2013
This entry was updated on: Aug 22, 2014

This threat is also detected as:
  • TROJ_STASER.AB (Trend Micro)
  • Win32/ELEX.S (ESET)
  • Trojan.Win32.Staser.fv (Kaspersky)
  • Mal/Cleaman-B (Sophos)
  • Trojan.Win32.Staser (Ikarus)
  • TR/Staser.rfm (Avira)
  • W32/Staser.FV!tr (Fortinet)
  • Adware-Bprotect (McAfee)
  • Adware.Mutabaha.25 (Dr.Web)
  • Trojan/Win32.Staser (AhnLab)