Home / malware Trojan:Win32/Wysotot.gen!A
First posted on 11 February 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Wysotot.gen!A.
Explanation :
Threat behavior
Installation
Trojan:Win32/Wysotot.gen!A is usually installed on your PC by software bundlers that advertise free software or games. One installer that we have seen distribute Win32/Wysotot.gen!A is shown below:
When the installer is launched, it creates a folder in %ProgramFiles% directory and drops a file there, for example %ProgramFiles%\v9Soft\v9kb.exe.
It also drops and launches a DLL in the %TEMP% directory, for example %TEMP%\v9Loader.dll, and installs it as a browser helper object.
Payload
Changes browser settings
Trojan:Win32/Wysotot.gen!A makes changes to the settings of the following web browsers:
- Chrome
- Firefox
- Internet Explorer
- Opera
It changes the start page so that when the browser is launched it opens a website on the v9.com domain. It can do this via the registry, for instance it makes the following modifications for Internet Explorer:
In subkey: HCKU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: http://www.v9.com/b&utm_medium=kb
In subkey: HCKU\Software\Microsoft\Internet Explorer\Main
Sets value: "Default_Page_URL"
With data: http://www.v9.com/b&utm_medium=kb
Trojan:Win32/Wysotot.gen!A also modifies the default search provider to www.v9.com as shown below:
Analysis by Amir Fouda
Symptoms
The following could indicate that you have this threat on your PC:
- Your web browser start page and default search provider have been changed to www.v9.com
Last update 11 February 2014
