Home / malwarePDF  

Trojan:Win32/Wysotot.E


First posted on 27 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Wysotot.E.

Explanation :

Threat behavior

Installation

Trojan:Win32/Wysotot.E is usually installed on your PC by software bundlers that advertise free software or games.

Payload

Installs other malware

Win32/Wysotot.E can install additional programs, including clean browser plugins or toolbars, and other malware. These programs are usually extracted to %TEMP%\v9zip_000\ and then run.

For example, we have seen this threat install:

  • %TEMP % \v9zip_000\autorun.exe


We detect this file as Trojan:Win32/Wysotot.D, which installs itself as checkrun22apple.exe under directory %HOMEPATH%\Application Data.

Changes browser settings

Win32/Wysotot.E changes the start page of some web browsers by changeng browser shortcuts and registry values.

It changes browser shortcuts (.lnk) to point the browser home page to a predefined website. The trojan searches these folders for .lnk files.

  • All Users\Desktop
  • All Users\Start Menu\Programs
  • Start Menu\Programs
  • Start Menu\Programs\Startup
  • \Application Data to get Quick Launch
  • \Desktop


The trojan can change the home page for the following browsers:

  • chrome.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe


Example of the shortcuts that can be modified include:

  • application data\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
  • start menu\programs\internet explorer.lnk
  • desktop\launch internet explorer browser.lnk


Examples of pages it redirects to include:

  • 22find.com
  • 22apple.com
  • delta-homes.com
  • portaldosites.com
  • qone8.com
  • qvo6.com
  • v9.com


Win32/Wysotot.E enumerates the following registry key looking for shell open command registry values pointing to web browsers:

  • HKLM\SOFTWARE\Clients\StartMenuInternet


Examples of the modified registry value include:

In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(default)"
With data: ""%ProgramFiles%\internet explorer\iexplore.exe" http://www.22find.com/?utm_source=b&utm_medium=&from=&uid=&ts="

In addition, it can change one of the following registry values to point to one of these websites:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=&from=&uid=&ts="

In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://www.22find.com/?utm_source=b&utm_medium=&from=&uid=&ts="

In subkey: HKCU\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing
Sets value: "1"
With data: "NewTabPageShow"



Analysis by Shali Hsieh

Symptoms

The following could indicate that you have this threat on your PC:

  • You have this file:
    %TEMP%\v9zip_000\autorun.exe

Last update 27 March 2014

 

TOP

Malware :

Family: