Trojan:Win32/Wysotot.E

Installation

Trojan:Win32/Wysotot.E is usually installed on your PC by software bundlers that advertise free software or games.

Payload

Installs other malware

Win32/Wysotot.E can install additional programs, including clean browser plugins or toolbars, and other malware. These programs are usually extracted to %TEMP%\v9zip_000\ and then run.

For example, we have seen this threat install:

• %TEMP % \v9zip_000\autorun.exe

We detect this file as Trojan:Win32/Wysotot.D, which installs itself as checkrun22apple.exe under directory %HOMEPATH%\Application Data.

Changes browser settings

Win32/Wysotot.E changes the start page of some web browsers by changeng browser shortcuts and registry values.

It changes browser shortcuts (.lnk) to point the browser home page to a predefined website. The trojan searches these folders for .lnk files.

• All Users\Desktop
• All Users\Start Menu\Programs
• Start Menu\Programs
• Start Menu\Programs\Startup
• <user name>\Application Data to get Quick Launch
• <user name>\Desktop

The trojan can change the home page for the following browsers:

• chrome.exe
• firefox.exe
• iexplore.exe
• opera.exe

Example of the shortcuts that can be modified include:

• application data\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
• start menu\programs\internet explorer.lnk
• desktop\launch internet explorer browser.lnk

Examples of pages it redirects to include:

• 22find.com
• 22apple.com
• delta-homes.com
• portaldosites.com
• qone8.com
• qvo6.com
• v9.com

Win32/Wysotot.E enumerates the following registry key looking for shell open command registry values pointing to web browsers:

• HKLM\SOFTWARE\Clients\StartMenuInternet

Examples of the modified registry value include:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(default)"
With data: ""%ProgramFiles%\internet explorer\iexplore.exe" http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In addition, it can change one of the following registry values to point to one of these websites:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=<sometext>&from=<sometext>&uid=<sometext>&ts=<somevalue>"

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing
Sets value: "1"
With data: "NewTabPageShow"

Analysis by Shali Hsieh