Installation
Trojan:Win32/Wysotot.E is usually installed on your PC by software bundlers that advertise free software or games.
Payload
Installs other malware
Win32/Wysotot.E can install additional programs, including clean browser plugins or toolbars, and other malware. These programs are usually extracted to %TEMP%\v9zip_000\ and then run.
For example, we have seen this threat install:
-
%TEMP
%
\v9zip_000\autorun.exe
We detect this file as Trojan:Win32/Wysotot.D, which installs itself as checkrun22apple.exe under directory %HOMEPATH%\Application Data.
Changes browser settings
Win32/Wysotot.E changes the start page of some web browsers by changeng browser shortcuts and registry values.
It changes browser shortcuts (.lnk) to point the browser home page to a predefined website. The trojan searches these folders for .lnk files.
-
All Users\Desktop
-
All Users\Start Menu\Programs
-
Start Menu\Programs
-
Start Menu\Programs\Startup
-
<user name>\Application Data to get Quick Launch
-
<user name>\Desktop
The trojan can change the home page for the following browsers:
-
chrome.exe
-
firefox.exe
-
iexplore.exe
-
opera.exe
Example of the shortcuts that can be modified include:
-
application data\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
-
start menu\programs\internet explorer.lnk
-
desktop\launch internet explorer browser.lnk
Examples of pages it redirects to include:
-
22find.com
-
22apple.com
-
delta-homes.com
-
portaldosites.com
-
qone8.com
-
qvo6.com
-
v9.com
Win32/Wysotot.E enumerates the following registry key looking for shell open command registry values pointing to web browsers:
-
HKLM\SOFTWARE\Clients\StartMenuInternet
Examples of the modified registry value include:
In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(default)"
With data: ""%ProgramFiles%\internet explorer\iexplore.exe" http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"
In addition, it can change one of the following registry values to point to one of these websites:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"
In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"
In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing
Sets value: "1"
With data: "NewTabPageShow"
Analysis by Shali Hsieh