Installation
Trojan:Win32/Wysotot.A is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot is shown below:
Once installed the trojan adds itself as a service with the name Wsys Service or DProtect Service.
It might add an uninstall entry with the name Wsys Control <version number>. Running this uninstaller might remove Win32/Wysotot.A from your PC.
Payload
Changes browser settings
Win32/Wysotot.A checks if you click on any of the shortcuts for these browsers:
-
Internet Explorer
-
Firefox
-
Chrome
-
Opera
When you open one of these browsers, the trojan will redirect you to one of a list of websites instead of your standard browser homepage. Examples of the web pages redirected to include:
-
v9.com
-
22find.com
-
322apple.com
-
qvo6.com
-
portaldosites.com
-
delta-homes.com
Win32/Wysotot.A does this by changing what your browser shortcut points to. For example, a shortcut file to:
C:\Program Files\Internet Explorer\iexplore.exe
Will be changed to:
C:\Program Files\Internet Explorer\iexplore.exe hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>
The trojan also changes the following registry key to redirect the start menu entry for Internet Explorer:
In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\
Sets value: "command"
With data: "C:\Program Files\Internet Explorer\iexplore.exe http://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>"
Additional information
Win32/Wysotot.A sends the status of any security software on your PC to a command-and-control (C&C) server.
It can also download, run, and kill processes. Commands include:
-
start
-
run
-
stop
-
uninstall
-
kill
-
restart
Analysis by Geoff McDonaldÂ
