Home / malware Trojan:Win32/Wysotot.G
First posted on 07 August 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Wysotot.G.
Explanation :
Threat behavior
Installation
Trojan:Win32/Wysotot.G can be installed on your PC by software bundlers that advertise free software.
It can be downloaded with one of the following file names:
- FileSyn.exe
- FileWork.exe
- SynWork.exe
Payload
Installs other malware
We have seen this threat install TrojanDownloader:Win32/Clikug.B.
Connects to a remote host
This trojan connects to lproot.soft365.com//Goplayer/en/apf. This site redirects to s.xingcloud.com/ /en/lproot.soft365.com/Uploads/Goplayer/apf/1107_16/index.html?xcv=0353ce3e14re.
It saves the content of this website to %TEMP%\temp_host_url.html.
This file can contain additional URLs that the trojan connects to and downloads additional files. These files are saved as %TEMP%\\ .zip. For example, %TEMP%\8147953\10080531.zip.
Additional information
This threat won't run if it detects that it is in a virtual environment.
It checks for the following virtual environments:
- Anubis
- CWSanbox
- Hyper-V
- JoeBox
- Sandboxie
- Virtual Box
- VMWare
It uses different methods for checking the current virtual environment, as well as various anti-debugging techniques.
It also creates a mutex using the following format:
- [Guid(CLSID)]
- [(CLSID)]
Sample CLSIDs include:
- 86193676-D005-4DF6-AA5F-D2DB1C22940F
- 5FF033AF-DEA8-4643-AC95-9C3019532348
Analysis by James Dee
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
FileSyn.exe
FileWork.exe
SynWork.exeLast update 07 August 2014